PT-2026-33458

Name of the Vulnerable Software and Affected Versions lukevella rallly versions prior to 4.8.0 Description A flaw in the Reset Password Handler component within the file 'apps/web/src/app/locale/auth/reset-password/components/reset-password-form.tsx' allows for remote cross site scripting. This...

PT-2026-33449

Name of the Vulnerable Software and Affected Versions QueryMine sms versions up to 7ab5a9ea196209611134525ffc18de25c57d9593 Description Remote SQL injection is possible via the GET Request Parameter Handler in the 'admin/editcourse.php' file. The issue occurs when the ID argument is manipulated,...

PT-2026-33455

Name of the Vulnerable Software and Affected Versions libvips versions prior to 8.19 Description A heap-based buffer overflow exists in the nip2 Handler component within the im minpos vec function of the file libvips/deprecated/vips7compat.c. This issue occurs when the argument n is manipulated,...

PT-2026-33461

Name of the Vulnerable Software and Affected Versions prasathmani TinyFileManager versions prior to 2.7 Description An issue in the File Upload Handler component allows for server-side request forgery, a flaw where an attacker can induce the server to make requests to an unintended location. This...

PT-2026-33480

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op crypt key callback packet without prior authentication, the port server crypt callback handler is not initialized, resulting in a null pointer dereference...

PT-2026-37122

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.6.9 Description Insufficient command handling in the parse mcp command function allows for arbitrary code execution. The function fails to implement a command allowlist or argument validation, enabling executables...

CVE-2025-70795

STProcessMonitor 11.11.4.0 (Safetica Application suite) is reported to expose a local IOCTL-based termination capability. The vulnerability arises from insufficient caller validation in the driver's IOCTL handler, enabling an admin-privileged user to load the driver and send a crafted IOCTL (0xB8...

Linux Distros Unpatched Vulnerability : CVE-2026-6491

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function imminposvec of the file libvips/deprecated/vips7compat....

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007268)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007268 advisory. In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Create persistent INTx handler A vulnerability exists where the eventfd for INTx...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007309)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007309 advisory. In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Do not register event handler until srpt device is fully setup Upon rare occasions,...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007370)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007370 advisory. In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpivideoswitchbrightness The switchbrightnesswork delayed wor...

[SECURITY] Fedora 44 Update: plasma-drkonqi-6.6.4-1.fc44

DrKonqi crash handler for KF6/Plasma6...

CVE-2026-40247

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when...

CVE-2026-40249

CVE-2026-40249 affects free5GC UDR (versions 4.2.1 and earlier). The PUT handler for /nudr-dr/v2/policy-data/subs-to-notify/{subsId} may continue processing after request body read or deserialization errors, invoking the processor with an uninitialized/partially initialized PolicyDataSubscription...

GHSA-VP6R-9M58-5XV8 OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

Impact Server-side EL injection leading to Remote Code Execution RCE. Affects applications that use CDNResourceHandler with a wildcard CDN mapping e.g. libraryName:=https://cdn.example.com/. An attacker can craft a resource request URL containing an EL expression in the resource name, which is...

GHSA-3JPJ-V3XR-5H6G zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

Summary The unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the condition short-circuits to false and allows the deletion to proceed without any ownership...

zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

Summary The unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the condition short-circuits to false and allows the deletion to proceed without any ownership...

CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing

Summary Multiple vulnerabilities were addressed in IBM Event Processing 1.5.0 Vulnerability Details CVEID:CVE-2026-1002 DESCRIPTION: The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. Th...

CVE-2026-1572

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler laeadminajax and insufficient...