CVE-2026-3844 Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetchgravatarfromremote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected...

CVE-2026-41211

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

SUSE CVE-2026-33258

By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC3 caches...

SUSE CVE-2026-33598

A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress or getAddressListByDomain on a packet cache...

SUSE CVE-2026-33601

If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service...

CVE-2026-41211

Summary of CVE-2026-41211 (vite-plus/binding) : The vulnerability affects Vite+ before version 0.1.17, where downloadPackageManager() uses an untrusted version string directly in filesystem paths. An attacker can supply traversal segments (e.g., ../) or absolute paths to escape VP_HOME/package_ma...

EUVD-2026-25163

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

CVE-2026-41211

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

VulnCheck KEV: CVE-2026-3844

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetchgravatarfromremote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected...

PT-2026-34681

Summary Requesting a static JS/CSS resource from the astro path with an incorrect or malformed if-match header returns a 500 error with a one-year cache lifetime instead of 412 in some cases. As a result, all subsequent requests to that file — regardless of the if-match header — will be served a...

WordPress plugin Breeze Cache 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

SUSE SLES15 Security Update : flatpak (SUSE-SU-2026:1541-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1541-1 advisory. - CVE-2026-34078: improper processing of app-controlled symlinks by sandbox-expose can lead to sandbox escape, host file access and...

RHEL 9 : squid (RHSA-2026:10256)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:10256 advisory. Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fixes: squid: Squid: Deni...

Linux kernel local elevation of privilege vulnerability (CNVD-2026-19044)

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A local elevation of privilege vulnerability exists in the Linux kernel, which stems from a flaw in the logic of the crypto: algifaead module when handling AEAD operations, and...

PT-2026-34629

Name of the Vulnerable Software and Affected Versions Breeze Cache versions prior to 2.4.5 Description An arbitrary file upload issue exists in the Breeze Cache plugin for WordPress, affecting approximately 400,000 active installations. The flaw is located in the fetch gravatar from remote...

PT-2026-34601

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP HOME/package manager// cache root a...

justhtml has sanitization bypass in custom policies and programmatic DOM

Summary justhtml 1.17.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling. Most of these issues affected advanced or custom configurations rather than the default safe path. Affected versions - justhtml , MathML , SVG / , and MathML text integration poin...

GHSA-VRX2-77F2-WW34 justhtml has sanitization bypass in custom policies and programmatic DOM

Summary justhtml 1.17.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling. Most of these issues affected advanced or custom configurations rather than the default safe path. Affected versions - justhtml , MathML , SVG / , and MathML text integration poin...