CVE-2026-40544

creationtimestamp| type| source ---|---|--- 2026-06-01 01:55:00+00:00| seen| https://cert.pl/en/posts/2026/06/CVE-2026-40543...

PT-2026-42121

Name of the Vulnerable Software and Affected Versions Ruby versions 4.0.0 through 4.0.4 Description Security issues were identified in the Ruby language implementation that require remediation to ensure system security. Recommendations Update Ruby to version 4.0.5...

BIT-ARGO-WORKFLOWS-2026-42296 Argo Workflows has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod...

CVE-2026-42183

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization causes a panic denial of service for SSO users whose claims match a...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the addWebhookAuthorization function. An attacker can cause excessive memory allocation by sending a large request body to the publicly accessible /api/v1/events/ endpoint,...

GHSA-C96X-RPM4-349P Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory...

BIT-ARGO-WORKFLOWS-2026-40886 Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod function causes a controller-wide panic when a workflow pod carries a malformed...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Validation of Integrity Check Value in go-git [CVE-2026-25934]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Validation of Integrity Check Value in go-git, due to an issue where data integrity values for .pack and .idx files were not properly verified CVE-2026-25934. GO-git is used as a component of our ibm-watson-speech-catalog...

PT-2026-22319

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

CVE-2025-14893

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and...

CRLF Injection

Overview comfyui-manager is a ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI. Affected versions of this package are vulnerable to CRLF Injection via the writeconfig function. An attacker can alter...

CVE-2025-14893

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and...

PT-2026-1757

Name of the Vulnerable Software and Affected Versions IndieWeb plugin for WordPress versions through 4.0.5 Description The IndieWeb plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping related to the Telephone...

CVE-2025-62141 WordPress Wawp plugin <= 4.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Information Technology Wawp automation-web-platform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wawp: from n/a through = 4.4...

PT-2025-42549

Name of the Vulnerable Software and Affected Versions Xpdf versions prior to 4.06 Description A flaw exists in Xpdf versions 4.05 and earlier related to PDF object handling within CMap structures. Specifically, a loop in a CMap, triggered through the "UseCMap" entry, can result in infinite...

Unity Linux 20.1070e Security Update: skopeo (UTSA-2025-985018)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-985018 advisory. Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web...

CVE-2025-41044

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataPagename' parameter in /apprain/page/manage-static-pages/create...

CVE-2025-41055

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAddonlayouts' and 'dataAddonlayoutsexcept' parameters in /apprain/developer/addons/update/dialogs...

CVE-2025-41060 Stored Cross-Site Scripting vulnerability in appRain CMF

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAddonlayouts' and 'dataAddonlayoutsexcept' parameters in /apprain/developer/addons/update/tree...

CVE-2025-41044

CVE-2025-41044 affects appRain CMF 4.0.5. A stored authenticated XSS exists due to improper validation of user input in the /apprain/page/manage-static-pages/create endpoint, specifically through the data[Page][name] parameter. Public sources consistently describe the vulnerability as cross-site ...