CVE-2026-3207 TIBCO BPM Enterprise Remote Code Execution (RCE) Vulnerability

Configuration issue in Java Management Extensions JMX in TIBCO BPM Enterprise version 4.x allows unauthorised access...

CVE-2026-3207 TIBCO BPM Enterprise Remote Code Execution (RCE) Vulnerability

Configuration issue in Java Management Extensions JMX in TIBCO BPM Enterprise version 4.x allows unauthorised access...

CVE-2026-3207

Configuration issue in Java Management Extensions JMX in TIBCO BPM Enterprise version 4.x allows unauthorised access...

CVE-2026-3207

The CVE concerns TIBCO BPM Enterprise (4.x) JMX security: a configuration issue allows unauthorized access. Affected component is Java Management Extensions (JMX) handling in BPM Enterprise. The CVSS v4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N, CIA impacts: Confidentiality HIGH, Integrity HIGH, Availab...

ClickFix Attack Targets Devs with MacSync Malware via Fake Claude Tools

Cybersecurity researchers at 7AI have revealed a new Claude Fraud campaign in which hackers use fake AI extensions and Google ads to steal data from tech professionals...

Insufficient validation of PAX extensions during extraction

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malform...

RUSTSEC-2026-0066 Insufficient validation of PAX extensions during extraction

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malform...

OPENSUSE-SU-2026:20372-1 Security update for chromium

This update for chromium fixes the following issues: Changes in chromium: - Chromium 146.0.7680.80: CVE-2026-3909: Out of bounds write in Skia boo1259659 - Chromium 146.0.7680.75 released 2026-03-12 boo1259648 CVE-2026-3910: Inappropriate implementation in V8. - Chromium 146.0.7680.71 released...

PT-2026-25983

Name of the Vulnerable Software and Affected Versions astral-tokio-tar versions 0.5.6 and earlier Description astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This...

Google Chrome Extensions Resource Management Error Vulnerability (CNVD-2026-14595)

Google Chrome is a free web browser developed by Google Inc. A security vulnerability exists in Google Chrome Extensions, which originates from re-referencing or using freed memory and can be exploited by remote attackers to execute arbitrary code...

TIBCO BPM Enterprise 安全漏洞

TIBCO BPM Enterprise is a business process management platform developed by TIBCO Corporation in the United States. This platform enables companies to drive digital transformation by making better decisions and taking faster, more informed actions. Version 4.x of TIBCO BPM Enterprise contains a...

Cross-site Scripting (XSS)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the file upload process. An attacker can execute arbitrary scripts in the user's browser by...

GHSA-42PH-PF9Q-CR72 Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Impact An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under t...

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Impact An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under t...

USN-8093-1: libssh vulnerability

It was discovered that libssh incorrectly performed bounds checking when processing SFTP extensions. If a client application queried extension data out of bounds, it could cause the application to crash, resulting in a denial of service, or exhibit unintended behavior...

PT-2026-25823

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header...

MAL-2026-1565 Malicious code in transform-export-extensions (npm)

The package 'transform-export-extensions' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

Fedora 42 : chromium (2026-e71e71d1fe)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-e71e71d1fe advisory. Update to 146.0.7680.71 CVE-2026-3913: Heap buffer overflow in WebML CVE-2026-3914: Integer overflow in WebML CVE-2026-3915: Heap buffer overflow in...

Malicious code in syntax-export-extensions (npm)

The package 'syntax-export-extensions' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

MAL-2026-1550 Malicious code in syntax-export-extensions (npm)

The package 'syntax-export-extensions' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...