CVE-2026-45364

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for or the configured IP-bearing header. IPv6 clients controlling a typical /6...

SUSE CVE-2026-40016

Attacker can upload a malicious Sieve script over ManageSieve service or locally to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed...

CVE-2026-40016

CVE-2026-40016: An attacker can upload a malicious Sieve script via ManageSieve (or local access) to bypass CPU time limits, potentially increasing allowed run time up to 130× the configured limit and degrading server performance. Affected component is the Sieve execution/ManageSieve handling; ro...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions through a crafted Chrome Extension...

netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood

A flaw was found in Netty. A remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume...

PT-2026-32241

Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions...

wisp has Allocation of Resources Without Limits or Throttling

Summary A multipart form parsing bug allows any unauthenticated user to bypass configured request size limits and trigger a denial of service by exhausting server memory or disk. Details The issue is in the multipart parsing logic, specifically in multipartbody and multipartheaders. When parsing...

CVE-2019-25483

Comtrend AR-5310 GE31-412SSG-C01R10.A2pG039u.d24k contains a restricted shell escape vulnerability that allows local users to bypass command restrictions by using the command substitution operator $ . Attackers can inject arbitrary commands through the $ syntax when passed as arguments to allowed...

Oracle Linux 10 : protobuf (ELSA-2026-3094)

The remote Oracle Linux 10 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-3094 advisory. - Fix CVE-2026-0994: nested Any messages bypassing recursion depth limits Tenable has extracted the preceding description block directly from the Oracle Linux...

CVE-2025-69871

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage...

PT-2025-54224

Name of the Vulnerable Software and Affected Versions Temporal versions 1.24.0 through 1.29.1 Description When the frontend.enableExecuteMultiOperation setting is enabled, the server incorrectly applies namespace-scoped validation and feature gates. Specifically, it uses the Namespace field from ...

131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign

Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale. The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to...

Lichess: Unauthorized Blogs Creation

A vulnerability was identified on the lichess.org website that allowed unauthorized blog creation. By manipulating certain requests and leveraging the session cookies of a different account, an attacker could bypass account-specific limitations and create a blog post on an account that was not ye...

The vulnerability of the software for processing and transmitting confidential data in Progress MOVEit Transfer arises from the lack of measures taken to protect the SQL query structure. This allows attackers to circumvent security restrictions, execute arbitrary SQL code, and gain unauthorized access to read, modify, or delete data.

The vulnerability of the software for processing and transmitting confidential data using Progress MOVEit Transfer is related to the lack of measures taken to protect the SQL query structure. Exploiting this vulnerability allows an attacker, operating remotely, to circumvent security restrictions...

Nextcloud 安全漏洞

Nextcloud is Germany's Nextcloud company's set of open source self-hosted file synchronization and sharing communication application platform. A security vulnerability exists in Nextcloud Server versions 25.0.7, 26.0.2, Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7,...

CVE-2021-44093

A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell...

Linux Kernel Parameter and Environment String Size Limit Bypass Vulnerability

Linux kernel is an open source operating system. Linux kernel suffers from a memory corruption vulnerability that allows local attackers to bypass restrictions by submitting special requests using the vulnerability...

Xalan-Java: insufficient constraints in secure processing feature

It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations XSLT content to be processed by an application using Xalan-Java could use this...

CVE-2001-1459

OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication Module PAM session if commands are executed with no pty, which allows local users to bypass resource limits rlimits set in pam.d...