CVE-2026-43363

CVE-2026-43363 concerns the Linux kernel x86 APIC subsystem. If, on resume from s2ram (S2/S3 wake), firmware re-enables x2APIC mode after the kernel has booted with x2APIC disabled, the system can run with x2APIC hardware but the kernel uses the xapic interface, leading to hangs. The issue is cau...

CVE-2025-71297

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: 8822b: Avoid WARNING in rtw8822bconfigtrxmode rtw8822bsetantenna can be called from userspace when the chip is powered off. In that case a WARNING is triggered in rtw8822bconfigtrxmode because trying to read the RF...

CVE-2026-40973 vulnerabilities

Vulnerabilities for packages: thingsboard, apache-nifi-registry, keycloak-config-cli, zipkin...

GHSA-WWPQ-F5C3-7HVX vulnerabilities

Vulnerabilities for packages: thingsboard, apache-nifi-registry, keycloak-config-cli, zipkin...

CVE-2026-40973 vulnerabilities

Vulnerabilities for packages: zipkin, camunda-zeebe, keycloak-config-cli, nacos-docker, kafbat-ui-fips, apache-nifi-registry, kafbat-ui, nacos, thingsboard...

GHSA-WWPQ-F5C3-7HVX vulnerabilities

Vulnerabilities for packages: zipkin, camunda-zeebe, keycloak-config-cli, nacos-docker, kafbat-ui-fips, apache-nifi-registry, kafbat-ui, nacos, thingsboard...

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

A previously undocumented Linux implant codenamed Quasar Linux RAT QLNX is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and...

CVE-2026-42264

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser in the HTTP adapter are read via direct property access without hasOwnProperty guards, making th...

UBUNTU-CVE-2026-42264

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser in the HTTP adapter are read via direct property access without hasOwnProperty guards, making th...

CVE-2026-42264

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser in the HTTP adapter are read via direct property access without hasOwnProperty guards, making th...

SUSE CVE-2026-41684

Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid...

CashDro 安全漏洞

CashDro is an intelligent device system developed by CashDro Corporation, designed for automated management of cash receipts and change dispensing at stores. Version 3.24.01.00.26 of CashDro contains a security vulnerability. This vulnerability stems from the platform’s ability to allow user...

PT-2026-39084

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the usb gadget f ncm component where the ncm set alt function holds a mutex to prevent races with configfs. This action invokes a sleeping function within an atomic...

PT-2026-39187

Name of the Vulnerable Software and Affected Versions Scoold versions prior to 1.67.0 Description Scoold allows the modification of the admins configuration value via the "/api/config/set/admins" endpoint using a forged Bearer token that is accepted as an admin API token. This action writes a...

PT-2026-38922

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the rtw88 wireless driver where the rtw8822b set antenna function can be called from userspace while the chip is powered off. This sequence triggers a warning in the...

PT-2026-38910

Name of the Vulnerable Software and Affected Versions CashDro 3 version 24.01.00.26 Description The web administration panel allows the use of numeric PINs for user authentication to maintain compatibility with POS software integrations deployed since 2012. This implementation enables attackers t...

PT-2026-38993

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A race condition exists in the USB gadget RNDIS driver where class, subclass, and protocol options can be accessed concurrently through configfs. This issue was discovered during code...

CVE-2026-42284

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, clone validates multioptions as the original list, then executes shlex.split" ".joinmultioptions. A string like "--branch main --config core.hooksPath=/x" passes validation starts with --branch, but aft...

CVE-2026-44244 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, b...

CVE-2026-41684 Incus: Nil Dereferences on Restore via Malformed YAML

Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid...