ROS-20260610-73-0006

The vulnerability in Thunderbird relates to the bypassing of authentication mechanisms through spoofing. Exploiting this vulnerability allows a malicious actor to carry out spoofing attacks remotely...

PT-2026-48531

Name of the Vulnerable Software and Affected Versions kafka-python versions prior to 2.3.2 Description A denial-of-service issue exists in the SCRAM authentication handling. A malicious or machine-in-the-middle broker can freeze the client event loop by providing an excessively large iteration...

postgresql-jdbc security update

42.2.14-4 - Limit SCRAM PBKDF2 iterations to prevent DoS via malicious server - Resolves: CVE-2026-42198...

EulerOS 2.0 SP13 : curl (EulerOS-SA-2026-2283)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : libcurl can in some circumstances reuse the wrong connection when asked to dox000D an Negotiate-authenticated HTTP or HTTPS request.x000D x000D...

Lenovo Smart Connect 安全漏洞

Lenovo Smart Connect is a cross-device collaboration platform developed by China’s Lenovo Corporation. There is a security vulnerability in Lenovo Smart Connect for Windows. This vulnerability stems from a potential authentication bypass, which may allow locally authenticated users to execute...

Russh 输入验证错误漏洞

Russh is a Rust SSH client and server library developed by Eugene as a personal project. In versions of Russh from 0.34.0-beta.1 to 0.61.0, there was an input validation vulnerability. This vulnerability stemmed from lax implementation of SSH identifier string rules. The server-side identifier...

Roxy-WI 安全漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Roxy-WI versions 8.2.6.4 and earlier contain security vulnerabilities. These vulnerabilities stem from the lack of authorization checks for the GET /history/ route when the service is set to user...

Russh 授权问题漏洞

Russh is a Rust SSH client and server library developed by Eugene as a personal project. In versions of Russh from 0.34.0-beta.1 to 0.61.0, there was an authorization vulnerability. This vulnerability stemmed from the server authentication path not separating the internal authentication state whe...

Slate Digital Connect 安全漏洞

Slate Digital Connect is an audio plugin management and licensing client developed by Slate Digital. Version 1.37.0 of Slate Digital Connect contains a security vulnerability. This vulnerability stems from a check-time and usage-time race condition in the PID-based client authentication process. ...

Roxy-WI 安全漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Roxy-WI versions 8.2.6.4 and earlier contain security vulnerabilities. These vulnerabilities stem from the PUT /smon/check endpoint, which only verifies that the caller belongs to a certain group...

Russh 输入验证错误漏洞

Russh is a Rust SSH client and server library developed by Eugene as an individual contributor. In versions of Russh from 0.37.0 to 0.61.0, there was a vulnerability related to input validation errors. This vulnerability stemmed from the keyboard interaction authentication process, where a...

Erlang/OTP -- timing-based username enumeration in SSH password authentication

https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4 reports: A timing-based username enumeration vulnerability during password authentication with the userpasswords option has been fixed by performing a dummy PBKDF2 computation for invalid usernames, so authentication timing no...

EulerOS 2.0 SP13 : cups (EulerOS-SA-2026-2325)

According to the versions of the cups packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to the Spring Security integration paths in SpringSecurityUtils.checkUserValidity, SpringSecurityPasswordValidationCallbackHandler, and X509AuthenticationProvider, which surface account status exceptions such as...

ImageMagick 信息泄露漏洞

ImageMagick is a set of open-source image processing software developed by the ImageMagick project. It can read, convert, and write images in various formats. Versions of ImageMagick prior to 6.9.13-48 and 7.1.2-23 contained a vulnerability related to information leakage. This vulnerability stemm...

CVE-2026-41706 Open Redirect When Using CookieRequestCache

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is us...

CVE-2026-41706

Spring Security: CookieRequestCache and CookieServerRequestCache store the full absolute pre-authentication URL in a browser cookie and use it as the post-login redirect target without validation. Affected versions include Spring Security 5.7.0–5.7.23; 5.8.0–5.8.25; 6.3.0–6.3.16; 6.4.0–6.4.16; 6....

CVE-2026-53675 BuddyPress 14.4.0 Friends List IDOR via REST API

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

CVE-2026-53673 BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

CVE-2026-53673 BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...