Linux Distros Unpatched Vulnerability : CVE-2026-5766

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the...

Linux Distros Unpatched Vulnerability : CVE-2026-43870

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Neutralization of CRLF Sequences in HTTP Headers...

Django 安全漏洞

Django is an open-source web framework based on the Python language, developed by the Django Foundation. This framework includes an object-oriented mapper, a view system, and a template system. Versions of Django prior to 6.0.5 and 5.2.14 contained security vulnerabilities. These vulnerabilities...

UBUNTU-CVE-2026-28780

Heap-based Buffer Overflow vulnerability in modproxyajp of Apache HTTP Server. If modproxyajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to modproxyajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue...

PT-2026-37260

Name of the Vulnerable Software and Affected Versions DevGuard versions prior to 1.2.2 Description An authentication bypass exists in the SessionMiddleware where the system accepts a client-supplied X-Admin-Token HTTP request header. When no Kratos session cookie is present, the raw string value ...

ROS-20260505-73-0071

A vulnerability in the tarfile module of the Python programming language interpreter CPython is related to incorrect parsing of the file header. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

PT-2026-37286

Name of the Vulnerable Software and Affected Versions microdot versions prior to 2.6.1 Description The Response.set cookie function does not sanitize string arguments, failing to detect the r sequence. This allows for HTTP response splitting and header injection attacks. For this to be exploited,...

PT-2026-37043

Name of the Vulnerable Software and Affected Versions Realtek rtl819x Jungle SDK versions prior to v3.4.14B Description The rtl8192cd Wi-Fi kernel driver fails to perform access control checks on the write mem ioctl 0x89F5 and read mem ioctl 0x89F6 debug handlers. These handlers are included in...

PT-2026-36992

Name of the Vulnerable Software and Affected Versions Apache Thrift versions prior to 0.23.0 Description Apache Thrift contains multiple issues, including an origin validation error, improper limitation of a pathname to a restricted directory Path Traversal, improper neutralization of CRLF...

📄 Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking

Traccar GPS Tracking System version 6.11.1 cross-site websocket hijacking proof of concept exploit. Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking CSWSH Date: 2026-02-26 Exploit Author: Hazar Taspinar Vendor Homepage: https://www.traccar.org/ Software Link:...

ROS-20260505-73-0072

A vulnerability in the tarfile module of the Python programming language interpreter CPython is related to incorrect parsing of the file header. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

Fixed in Apache Tomcat 11.0.22

Moderate: Security constraints not correctly applied CVE-2026-43515 When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. This was fixed with commits 276087d9 and 06597486. This issue was reported to the...

Jupyter Server 安全漏洞

Jupyter Server is an application developed by the Jupyter organization that provides backend services for Jupyter web applications. Jupyter Server versions 2.17.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the Origin header validation mechanism, which uses...

CVE-2026-28780

Heap-based Buffer Overflow vulnerability in modproxyajp of Apache HTTP Server. If modproxyajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to modproxyajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue...

PT-2026-36988

Name of the Vulnerable Software and Affected Versions Axios versions 1.0.0 through 1.15.1 Description Axios is a promise-based HTTP client for the browser and Node.js. The HTTP adapter reads five configuration properties—auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser—via direct...

Linux Distros Unpatched Vulnerability : CVE-2026-6907

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary head...

ROS-20260505-73-0070

A vulnerability in the tarfile module of the Python programming language interpreter CPython is related to incorrect parsing of the file header. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

next: Next.js Server-Side Request Forgery in Server Actions

A Server-Side Request Forgery SSRF vulnerability was identified in Next.js Server Actions. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required...

GHSA-GV7R-3MR9-H5X8 AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass

Summary The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When th...

Weak Password Recovery Mechanism for Forgotten Password

Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the ApplyXForwarded process. An attacker can gain unauthorized access to user accounts and bypass two-factor authentication by injecting a malicious X-Forwarded-Host header...