Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011041)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011041 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: release mutex after nftgcseqend from abort path The commit mutex should not ...

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011399)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011399 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: use timestamp to check for set element timeout Add a timestamp field at the...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013108)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013108 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: mark set as dead when unbinding anonymous set with timeout While the...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013371)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013371 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nftsetrbtree: skip end interval element from gc rbtree lazy gc on insert might collect...

MAL-2026-2841 Malicious code in lixxyly (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e3c0a4fef6764ec743cc96d88d10dbc9a33197300a3b916746ab5f5391ad6e96 Starting the module activates a hardcoded telegram bot allowing remote code execution, data exfiltration, collecting webcam photos, clipboard data, etc. ---...

GHSA-F5V8-V6Q3-Q4H6 Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)

Summary Meridian v2.1.0 Meridian.Mapping and Meridian.Mediator shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Mapsource, destination...

Anonymizing Network Traffic: A Dive into SOCKS5 and Data Encryption

SOCKS5 protocol explained: anonymize traffic, boost security with encryption, bypass restrictions, and enable reliable data collection for business use...

October Rain has a Twig Sandbox Bypass via Collection Methods

A sandbox bypass vulnerability was identified in the optional Twig safe mode feature CMSSAFEMODE. Certain methods on the collect helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Impact - Bypass of Twig sandbox...

CVE-2026-22692

CVE-2026-22692 affects October CMS Twig sandbox (CMS_SAFE_MODE). Vulnerable in versions prior to 3.7.13 and 4.0.0–4.1.4; fixed in 3.7.13 and 4.1.5. Root cause: collect()->mapInto() on SafeCollection bypasses SecurityPolicy, allowing authenticated template editors to bypass sandbox. Exploitatio...

EUVD-2019-20128

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collectionedit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to...

CVE-2019-25693

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collectionedit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to...

CVE-2019-25693 ResourceSpace 8.6 SQL Injection via collection_edit.php

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collectionedit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to...

CVE-2019-25693

CVE-2019-25693 – ResourceSpace 8.6 SQL injection : An authenticated attacker can inject malicious SQL via the keywords parameter in collection_edit.php (also noted as collection edit.php in some sources), enabling execution of arbitrary queries and extraction of sensitive data such as schema info...

CVE-2019-25693

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collectionedit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to...

CVE-2019-25693 ResourceSpace 8.6 SQL Injection via collection_edit.php

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collectionedit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to...

PT-2026-32161

ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to...

Montala ResourceSpace 跨站请求伪造漏洞

Montala ResourceSpace is an open-source digital asset management tool developed by Montala Company in the UK. It enables users to organize their digital assets. Version 8.6 of Montala ResourceSpace contains a cross-site request forgeing vulnerability, which stems from insufficient input validatio...

MINI-PJFR-8XJR-V8P6

Bulletin has no description...

MAL-2026-2527 Malicious code in sjs-biginteger (npm)

sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2...

GHSA-65W6-PF7X-5G85 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

Impact All /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin and any access rules defined on Puck-registered collections wer...