CVE-2026-33552

Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control...

CVE-2026-21785 HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy

A misconfigured Content Security Policy CSP in HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources...

CVE-2026-21785

CVE-2026-21785 relates to a misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions ≤ 10.1.0.0442). The CSP failures occur because directives are defined without fallbacks, enabling attackers to bypass intended security restrictions and load unauthorized re...

EUVD-2026-32658

A misconfigured Content Security Policy CSP in HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources...

CVE-2026-9579

A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit...

CVE-2026-46036

A flaw was found in the Linux kernel's vfio/cdx component. A race condition can occur during concurrent VFIODEVICESETIRQS ioctls input/output control calls, specifically within the vfiocdxsetmsitrigger function. This allows two callers to interact in a way that leads to a use-after-free...

CVE-2026-46071

A flaw was found in the Linux kernel's Kernel-based Virtual Machine KVM subsystem, specifically affecting its nested virtualization nSVM capabilities. The issue arises from incorrect handling of Virtual Machine Control Block Last Branch Record VMCBLBR data when copied to vmcb12, an operation that...

External Control of System or Configuration Setting

Overview Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the found-action process. An attacker can execute arbitrary shell commands on the host system by sending specially crafted JSON data to the REST API server endpoint when it is...

External Control of System or Configuration Setting

Overview Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the found-action process. An attacker can execute arbitrary shell commands on the host system by sending specially crafted JSON data to the REST API server endpoint when it is...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the custom-payload-file field in REST API server mode. An attacker can read and exfiltrate arbitrary files accessible to the process by supplying a path to a file, which is then read line-by-lin...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the custom-payload-file field in REST API server mode. An attacker can read and exfiltrate arbitrary files accessible to the process by supplying a path to a file, which is then read line-by-lin...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the output option in server mode. An attacker can create or append to arbitrary files on the host filesystem by sending crafted requests to the REST API, as the file path is taken directly from...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the output option in server mode. An attacker can create or append to arbitrary files on the host filesystem by sending crafted requests to the REST API, as the file path is taken directly from...

watch-tower

OT/ICS Threat Intelligence Lab Local threat intelligence lab...

CVE-2026-46088

A flaw was found in the Linux kernel's Advanced Linux Sound Architecture ALSA control component. Improper validation of the buffer length before a string length operation in the sndctleleminitenumnames function can lead to a system panic. This vulnerability could allow a local attacker to trigger...

CVE-2026-45081

Frappe HRMS (HRMS) has a permission bypass in the Leave Details API. Before version 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks; the issue is fixed in 16.5.0.

EUVD-2026-32608

Frappe HR is an open-source human resources management solution HRMS. Prior to 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0...

CVE-2026-49054

Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Post Grid: from n/a through 7.9.2...

CVE-2026-44316

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler HandleCreateSmPolicyRequest panics with a nil-pointer dereference when a downstream OpenAPI consumer call UDR lookup returns 404 Not Found and the...

CVE-2026-42459

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm Subscriber Data Management service. An unauthenticated attacker can inject control characters into the SUPI...