CVE-2026-25757 Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users including names, addresses and phone numbers. This...

Update of microcode_ctl

Update Intel CPU microcode to 20251111: - Addition of cpuid:806F8/0x10 SPR-HBM B3 microcode in microcode.dat at revision 0x2c000410; - Addition of cpuid:806F8/0x87 SPR-SP E5/S3 microcode in microcode.dat at revision 0x2b000650; - Addition of cpuid:90672/0x07 ADL-HX/S 8+8 C0 microcode in...

CVE-2026-1553 Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006

Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4...

USN-8001-1 openjdk-lts vulnerabilities

It was discovered that the RMI component of OpenJDK 11 would establish RMI TCP endpoint connections to a remote host without setting an endpoint identification algorithm. An unauthenticated remote attacker could possibly use this issue to steal sensitive information. CVE-2026-21925 Mingijung...

CVE-2025-6596

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vecto...

MINI-JR5P-8C3J-3858

Bulletin has no description...

MINI-5C4W-7XGG-RFXJ

Bulletin has no description...

CVE-2026-24854

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint /PaddleNumEditor.php in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the PerID parameter. Version 6.7...

CVE-2025-55292

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption...

CGA-GG84-WR89-FWP8

Bulletin has no description...

CGA-G593-5Q5H-2F35

Bulletin has no description...

CGA-7Q3Q-3M29-6VCG

Bulletin has no description...

CGA-J7Q7-VHHF-6R67

Bulletin has no description...

CGA-FVRG-6JPQ-RH75

Bulletin has no description...

CGA-9M92-4R7Q-86J5

Bulletin has no description...

CGA-2Q8X-54R9-WGMP

Bulletin has no description...

CGA-QMCX-79QH-755C

Bulletin has no description...

Oneflow security vulnerabilities

OneFlow is an open-source deep learning framework developed by OneFlow. Version 0.9.0 of OneFlow contains a security vulnerability. This vulnerability stems from a device ID verification flaw, which may allow a denial-of-service attack by invoking flow.cuda.synchronize with invalid or out-of-rang...

Meshtastic security vulnerabilities

Meshtastic is an open-source, decentralized wireless off-grid mesh network LoRa protocol developed by Meshtastic. Meshtastic has a security vulnerability, which stems from defects in the node identification mechanism. This vulnerability could allow attackers to forge node information and hijack...

CVE-2025-55292

CVE-2025-55292 affects Meshtastic, where NodeIDs are derived from MAC addresses instead of public keys, enabling an attacker to forge a NodeInfo and advertise HAM mode (which lacks encryption). This allows other mesh nodes to accept the forged information, overwrite the NodeDB, and route direct m...