CVE-2026-29048

HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulnerability was identified in the Button component of version 1.18.0. Due to inconsistent output encoding at several points within the software, malicious scripts could be injected and executed in the...

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft on Thursday disclosed details of a new widespread ClickFix social engineering campaign that has leveraged the Windows Terminal app as a way to activate a sophisticated attack chain and deploy the Lumma Stealer malware. The activity, observed in February 2026, makes use of the terminal...

CVE-2025-59540

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...

EUVD-2025-208337

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...

EUVD-2026-9972

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Prior to version 2.04, TinyWeb accepts request header values and later maps them into CGI environment variables HTTP. The parser did not strictly reject dangerous control characters in header lines and header values, including CR, L...

CVE-2026-2835

An HTTP Request Smuggling vulnerability CWE-444 has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers...

HumHub 跨站脚本漏洞

HumHub is an open-source social networking software developed using the Yii PHP framework. Version HumHub 1.18.0 contains a cross-site scripting vulnerability. This vulnerability stems from inconsistent output encoding in the Button component, which may allow malicious scripts to be injected and...

SUSE SLES15 Security Update : postgresql17 (SUSE-SU-2026:0787-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0787-1 advisory. This update for postgresql17 fixes the following issue: Update to version 17.9 bsc1258754. Regression fixes: - the substring function raises...

Chamilo 安全漏洞

Chamilo is an open-source learning management system developed by Chamilo. Versions of Chamilo prior to 1.11.34 contained security vulnerabilities. These vulnerabilities were caused by improper encoding of input before rendering on the practice history page. This could lead to storage cross-site...

AVideo 操作系统命令注入漏洞

AVideo is an open-source broadcast network creation tool developed by the World Wide Broadcast Network. Prior to version 7.0 of AVideo, there was a vulnerability related to operating system command injection. This vulnerability allowed unauthenticated attackers to execute arbitrary operating syst...

Alkaid: Resilience to Edit Errors in Provably Secure Steganography Via Distance-Constrained Encoding

While provably secure steganography provides strong concealment by ensuring stego carriers are indistinguishable from natural samples, such systems remain vulnerable to real-world edit errors e.g., insertions, deletions, substitutions because their decoding depends on perfect synchronization and...

SUSE SLES15 Security Update : postgresql18 (SUSE-SU-2026:0769-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0769-1 advisory. This update for postgresql18 fixes the following issue: Update to version 18.3 bsc1258754. Regression fixes: - the substring function raises...

EUVD-2026-9815

The Eclipse Jetty Server Artifact has a Gzip request memory leak...

GHSA-HJ7X-879W-VRP7 Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Impact Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend. This vulnerabili...

Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing

Impact Pingora versions prior to 0.8.0 improperly allowed HTTP/1.0 request bodies to be close-delimited and incorrectly handled multiple Transfer-Encoding values. This allows an attacker to desync Pingora's request framing from backend servers and smuggle requests to the backend. This vulnerabili...

CVE-2026-3598 RustDesk Server Generates Config Strings Using Reversible Encoding (Base64 + Reverse) Instead of Encryption

Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux Config string generation, web console export modules allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routin...

CVE-2026-3598

The CVE concerns RustDesk Server Pro (RustDesk Server Pro) up to version 1.7.5 where config strings are generated using a reversible encoding (Base64 plus reversal) instead of proper encryption. This weakness in the config export/generation routines potentially allows an attacker who can access t...

SUSE CVE-2026-28435

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib httplib.h does not enforce Server::setpayloadmaxlength on the decompressed request body when using HandlerWithContentReader streaming ContentReader with Content-Encoding: gzip or other...

undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows...

CVE-2026-1605

A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the server's response is not compressed. This prevents the release of the JDK Inflater, leading to a resource leak. This resource exhaustio...