[SECURITY] Fedora 42 Update: rust-resctl-bench-2.2.5-12.fc42

resctl-bench is a collection of whole-system benchmarks to evaluate resource control and hardware behaviors using realistic simulated workloads. Comprehensive resource control involves the whole system. Furthermore, testing resource control end-to-end requires scenarios involving realistic...

[SECURITY] Fedora 43 Update: rust-resctl-bench-2.2.5-12.fc43

resctl-bench is a collection of whole-system benchmarks to evaluate resource control and hardware behaviors using realistic simulated workloads. Comprehensive resource control involves the whole system. Furthermore, testing resource control end-to-end requires scenarios involving realistic...

Sage DPW 安全漏洞

Sage DPW is a human resources system developed by the British company Sage. Version Sage DPW 202506004 contains security vulnerabilities. These vulnerabilities stem from non-default configurations that allow unverified access to diagnostic endpoints, potentially exposing sensitive information suc...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the admin/save.json.php process. An attacker can modify sensitive plugin configurations, such as payment processor credentials o...

GHSA-G3MX-8JM6-RC85 Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php

Reported by: Juan Felipe Oz @JF0x0r LinkedIn Summary The delete mode handler in mylistfunction.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations —...

CVE-2026-34382

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylistfunction.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently...

CVE-2026-34382

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylistfunction.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently...

CVE-2026-34070

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an...

PT-2026-29349

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.7 Description The delete mode handler in mylist function.php does not validate a CSRF token before permanently deleting list configurations. An attacker can exploit this by luring an authenticated user to a...

Admidio 跨站请求伪造漏洞

Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Versions of Admidio from 5.0.0 to 5.0.8 had a cross-site request forgeing vulnerability. This...

PT-2026-29232

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute channel commands like /config set channels..accounts...

Nginx UI 安全漏洞

Nginx UI is a web interface for Nginx developed by Jacky. Versions of Nginx UI prior to 2.3.4 contained security vulnerabilities. These vulnerabilities stemmed from the backup and restoration mechanism, which allowed attackers to tamper with encrypted backup archives and inject malicious...

CI4MS 跨站脚本漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.0.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper handling of user input related to email settings in system configurations, which could lead to...

CVE-2026-33979

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data in req.body, req.query, req.headers and req.params to prevent Cross Site Scripting XSS attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are...

CVE-2026-33979

CVE-2026-33979 affects the Express XSS Sanitizer middleware (Express 4.x/5.x). The root cause is that, in versions prior to 2.0.2, explicitly provided empty configurations for allowedTags or allowedAttributes are ignored, causing a fallback to sanitize-html’s permissive defaults. This leads to a ...

CVE-2026-33979

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data in req.body, req.query, req.headers and req.params to prevent Cross Site Scripting XSS attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the host transfer API due to missing authorization checks on the source team. An attacker can gain unauthorized control over hosts belonging to other teams by initiating a transfer, resulting in the ability to...

CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

CVE-2026-34386

Fleet is open source device management software. Before 4.81.0, a SQL injection vulnerability in Fleet’s MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet da...