CVE-2026-8938

The CVE-2026-8938 entry concerns the WordPress plugin “auto making JSON-LD” (versions

Synology Surveillance Station 安全漏洞

Synology Surveillance Station is an application developed by Synology, a Chinese company. It provides intelligent monitoring and video management tools to protect your valuable assets. There are security vulnerabilities in versions of Synology Surveillance Station prior to 9.2.2-11575 and...

PT-2026-44556

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.216 Description A use after free issue in Passwords on Windows allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape. This is achieved through the u...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the KVM SVM module not properly injecting UD exceptions when EFER.SVME=0 is set. This may lead to...

PT-2026-44158

Summary The WordExport export flow only checks whether the current backend user has the feature permission word export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view...

SUSE SLES15 Security Update : java-1_8_0-openj9 (SUSE-SU-2026:2036-1)

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2036-1 advisory. This update for java-180-openj9 fixes the following issues - CVE-2026-1188: eclipse: ensure room for separator in...

CVE-2026-9247

CVE-2026-9247: Insufficient logging in Devolutions Server’s entry export feature allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification. Affected: Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier. Root cause: l...

CVE-2026-9248

CVE-2026-9248 details an authorization bypass in Devolutions Server’s entry-duplication feature. An authenticated user with write access to any vault can craft a save request to copy documentation and attachments from an entry in a vault they cannot access. Affected versions include Devolutions S...

CVE-2026-9248

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : Devolutions Server 2026.1.6.0...

CVE-2026-48172

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation possibly to root, as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpaneljsonapifunc=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2/dev/null in Bash. If you get no output,...

Unity Linux 20.1060e / 20.1070e Security Update: datanucleus-api-jdo (UTSA-2026-016658)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016658 advisory. Apache Log4j2 2.0-beta9 through 2.15.0 excluding security releases 2.12.2, 2.12.3, and 2.3.1 JNDI features used in configuration, log messages, and parameters do not...

Twig: The `spaceless` filter implicitly marks its output as safe

Description The spaceless filter is registered with issafe = 'html', which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw...

CVE-2026-8239 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_rating'

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/getrating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with...

CVE-2026-43495

In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate portcount against message length in t7xxportenummsghandler t7xxportenummsghandler uses the modem-supplied portcount field as a loop bound over portmsg-data without checking that the message buffer contai...

UBUNTU-CVE-2026-43495

In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate portcount against message length in t7xxportenummsghandler t7xxportenummsghandler uses the modem-supplied portcount field as a loop bound over portmsg-data without checking that the message buffer contai...

CVE-2026-43495

CVE-2026-43495 concerns the Linux kernel net/wwan/t7xx subsystem. The issue arises in t7xx_port_enum_msg_handler, which uses a modem-provided port_count to loop over port_msg->data[] without ensuring the message buffer is long enough, enabling a potential slab-out-of-bounds read when port_coun...

EUVD-2026-31211

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-48172

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation possibly to root, as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpaneljsonapifunc=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2/dev/null in Bash. If you get no output,...

CVE-2026-45585

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be...

CVE-2026-48172

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation possibly to root, as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpaneljsonapifunc=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2/dev/null in Bash. If you get no output,...