Security Bulletin: IBM i is Affected by Improper Handling of Special Elements and Improper Neutralization of Null Byte Vulnerabilities in OpenSSH [CVE-2025-61984, CVE-2025-61985]

Summary OpenSSH for IBM i is vulnerable to allowing control characters in usernames CVE-2025-61984 and allowing null bytes in the URI CVE-2025-61985 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2025-61984 DESCRIPTION: ssh in OpenSSH before 10.1 allows control...

CVE-2026-47090

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

CVE-2026-21789

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios...

EUVD-2026-30804

SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQ...

CVE-2026-8851

SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can...

CVE-2026-21789

CVE-2026-21789 affects HCL Connections and describes a broken access control vulnerability that may allow an unauthorized user to update data in certain scenarios. The CVSS 3.1 base score is 4.6 (MEDIUM) with a vector: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating network attack with low privil...

EUVD-2026-30798

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios...

CVE-2026-21789 HCL Connections is vulnerable to broken access control

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios...

CVE-2026-21789

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios...

CVE-2026-21789 HCL Connections is vulnerable to broken access control

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios...

EUVD-2026-29571

Microsoft Security Advisory CVE-2026-32175 – .NET Core Tampering Vulnerability...

EUVD-2026-30790

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...

Access Control Bypass

Overview sulu/sulu is a highly extensible open-source PHP content management system based on the Symfony framework. Affected versions of this package are vulnerable to Access Control Bypass in the users endpoint controller, which exposes the apiKey field to logged-in users who have permission for...

TYPO3-EXT-SA-2026-009: Broken Access Control in extension "Frontend User Registration" (sf_register)

More info at https://typo3.org/security/advisory/typo3-ext-sa-2026-009...

CVE-2026-45190

A flaw was found in Net::CIDR::Lite, a Perl module for handling IP address ranges. This vulnerability allows a remote attacker to bypass IP Access Control Lists ACLs due to improper validation of IP address and CIDR Classless Inter-Domain Routing mask inputs. Specifically, inputs containing...

MAL-2026-3830 Malicious code in @zentrafinance/contracts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 867d053632b3bcc143ed8f9f0f75a1dccdc210cede972e8006d698ef796793e5 The package @zentrafinance/contracts was found to contain malicious code. Source: ghsa-malware...

Government Backed Hackers Abuse Cloudflare in Malaysian Espionage Campaign

Government Backed Hackers abused Cloudflare storage services in a Malaysian espionage campaign involving hidden C2 systems and data exfiltration...

SUSE CVE-2026-6479

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AFUNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18....

CVE-2026-6343 Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591...

EUVD-2026-30753

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...