SUSE-SU-2026:21989-1 Security update for google-guest-agent

This update for google-guest-agent fixes the following issues: Update to version 20260430.00 Update THIRDPARTYLICENSES to be package specific location. 608 Update dependencies and go version to 1.26.2 607 bsc1265762, CVE-2026-33814 Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 604...

EUVD-2026-34153

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network...

PT-2026-46053

Name of the Vulnerable Software and Affected Versions Securly Chrome Extension version 3.0.7 Description The software downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions using the new RegExp function without complexity validation. An on-path...

PT-2026-46071

Name of the Vulnerable Software and Affected Versions ealpha072 Student-Management-System versions prior to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08 Description An issue in the Administrative Backend component, specifically within the 'admin/config.php' file, allows for improper authentication...

CVE-2026-36460

CVE-2026-36460 affects Dovestones Softwares ADPhonebook prior to v4.0.1.1. The issue is a Cross Site Scripting flaw in the /Admin/Save API where an authenticated admin can store malicious JavaScript payloads in multiple configuration sections due to missing input validation or output encoding. Af...

CVE-2026-47117

OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied modelname parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path...

CVE-2026-1784

The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration...

CVE-2026-10514

A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit...

CVE-2026-10514 1Panel-dev CordysCRM RequestParamTrimConfig.java cross site scripting

A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit...

CVE-2026-45630

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation...

Malicious Package

Overview opensearch-config-utility is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those...

Malicious Package

Overview env-config-manager is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those...

Malicious Package

Overview app-config-utility is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those...

CVE-2026-45279 Nextcloud: Limited path traversal via template API if using `{lang}` in config

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if lang is used in the template directory config value, non-admin users can in some cases copy arbitrary files depending on unix permissions into...

CVE-2026-45279 Nextcloud: Limited path traversal via template API if using `{lang}` in config

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if lang is used in the template directory config value, non-admin users can in some cases copy arbitrary files depending on unix permissions into...

@aamini/config (>=0.0.1 <=0.0.13), @baic/preset-yolk-taro-miniprogram (>=2.1.0-alpha.278 <=2.1.0-alpha.281) +9 more potentially affected by CVE-2026-47428 via @vitest/browser (>=4.0.17 <=4.1.5)

@vitest/browser NPM version =4.0.17, =0.0.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.2, =4.0.2, =4.0.2, =0.5.0, =0.1.13, =0.2.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...

@astralis-os/vitest (=2.4.1), @aws/nx-plugin (>=0.79.1 <=0.84.2) +75 more potentially affected by CVE-2026-47429 via vitest (>=4.0.13 <=4.0.9)

vitest NPM version =4.0.13, =0.79.1, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =2.1.0-alpha.278, =4.0.0-alpha.31, =1.2.3-preview-a960555.0, =7.2.0, =11.0.33, =21.0.0-alpha.33, =23.0.0-alpha.1 - @forsakringskassan/vitest-config =1.1.0 and more Source cves:...

BIT-KIBANA-2026-49095 Improper Input Validation in Kibana Fleet Leading to Privilege Escalation

Improper Input Validation CWE-20 in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequatel...

BIT-ELK-2026-49095 Improper Input Validation in Kibana Fleet Leading to Privilege Escalation

Improper Input Validation CWE-20 in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequatel...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +38 more potentially affected by CVE-2026-41014 via apache-airflow-core (>=3.0.0 <=3.2.1rc3)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-41014 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-17137573...