GHSA-PFCQ-4GJR-6GJM RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks

Missing Admin Auth on Notification Target Endpoints in RustFS Finding Summary All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any admin-action...

Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode

Description String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the...

EUVD-2026-24921

In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmuctx-pmu for groups Oliver reported that x86pmudel ended up doing an out-of-bound memory access when groupschedin fails and needs to roll back. This should be handled by the transaction callbacks, but he...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +1093 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-core MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

CVE-2026-4119

creationtimestamp| type| source ---|---|--- 2026-04-22 09:00:28+00:00| seen| https://infosec.exchange/users/offseq/statuses/116447538532151230 2026-04-22 09:00:30+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mk353qm3xy2m 2026-04-22 11:16:16+00:00| published-proof-of-concept|...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +874 more potentially affected by CVE-2026-22747 via org.springframework.security:spring-security-web (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-web MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

PT-2026-34559

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.94 Description Four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check permissions helper that validates authentication but fails to perform admin-action authorization...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013852)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013852 advisory. In the Linux kernel, the following vulnerability has been resolved: tracing: dynevent: Add a missing lockdown check on dynevent Since dynamicevents interface on...

EUVD-2026-24323

Vulnerability in the Oracle User Management product of Oracle E-Business Suite component: Workflow and Business Events. Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle User...

CVE-2026-22014

Vulnerability in the Oracle User Management product of Oracle E-Business Suite component: Workflow and Business Events. Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle User...

CVE-2026-40576

excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated...

CVE-2026-31368

creationtimestamp| type| source ---|---|--- 2026-04-21 07:26:48+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mjyhfby5pv23 2026-04-21 07:30:34+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mjyhlzy3vh2c 2026-04-21 09:15:10+00:00| seen|...

Oracle User Management 安全漏洞

Oracle User Management is a user management system developed by Oracle, a company in the United States. There are security vulnerabilities in versions 12.2.7 to 12.2.15 of Oracle User Management. These vulnerabilities stem from issues with the Workflow and Business Events component. They may allo...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-006955)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006955 advisory. In the Linux kernel, the following vulnerability has been resolved: tracing/hist: Fix out-of-bound write on 'actiondata.varrefidx' When generate a synthetic event wi...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011328)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011328 advisory. In the Linux kernel, the following vulnerability has been resolved: tracing: dynevent: Add a missing lockdown check on dynevent Since dynamicevents interface on...

CVE-2026-5265

creationtimestamp| type| source ---|---|--- 2026-04-20 16:12:58+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mjwudarxe22v 2026-04-20 16:23:01+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mjwuv7lkt72h...

CVE-2026-6574

creationtimestamp| type| source ---|---|--- 2026-04-19 15:00:14+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mju7sa6ety2v 2026-04-19 15:00:15+00:00| seen| https://infosec.exchange/users/offseq/statuses/116431966121032331 2026-04-19 15:15:14+00:00| seen|...

CVE-2026-4801

The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up to, and including, 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds...

CVE-2026-4801 Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data

The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up to, and including, 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds...

CVE-2026-40333

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptpunpackEOSevents have xsize available but never pass it, leaving both...