CVE-2026-23696

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signi...

CVE-2026-23696

Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signi...

Security update for govulncheck-vulndb

This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20260402T184258 2026-04-02T18:42:58Z jscPED-11136. Go CVE Numbering Authority IDs added or updated with aliases: GO-2026-4518 CVE-2026-32286 GHSA-jqcq-xjh3-6g23 GO-2026-4753 CVE-2026-33487 GHSA-479m-364c-43vc...

DEBIAN-CVE-2026-28810

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel inetres, inetdb modules allows DNS Cache Poisoning. The built-in DNS resolver inetres uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization...

UBUNTU-CVE-2026-28810

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel inetres, inetdb modules allows DNS Cache Poisoning. The built-in DNS resolver inetres uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization...

EEF-CVE-2026-28810 Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver

Summary Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel inetres, inetdb modules allows DNS Cache Poisoning. The built-in DNS resolver inetres uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomizatio...

CVE-2026-28810

CVE-2026-28810 affects the Erlang/OTP kernel built-in DNS resolver (inet_res) and its inet_db module. The issue arises from a 16-bit, process-global transaction ID used for UDP queries and the absence of source port randomization, making DNS responses vulnerable to spoofing and cache poisoning wh...

PT-2026-31003

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or...

CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

RHSA-2025:3976

creationtimestamp| type| source ---|---|--- 2026-04-06 15:19:47+00:00| seen| Telegram/zfToAAWf8eWnJ7ba07A0EZZiZLhP55gYdeGjYzJA6KMcCw 2026-04-06 15:20:12+00:00| seen| Telegram/0sUuWW8J84hCZb1n0MF5lAvDyk6dii4XfiqOlA0c3Bj-PlY 2026-04-06 15:20:35+00:00| seen|...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the use of non-UUID volumes, potentially leading to the provision of inappropriate file system...

Fedora: Security Advisory (FEDORA-2026-fe96f3532b)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

GHSA-HG8Q-8WQR-35XX AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

Information Exposure

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Information Exposure via the install/test.php script when the command-line interface guard is disabled. An attacker can access sensitive information such as viewer...

Electron 安全漏洞

Electron is an open-source JavaScript framework developed by users for creating cross-platform desktop applications. This framework is based on Node.js and Chromium, allowing the development of cross-platform desktop applications using HTML and CSS. There are security vulnerabilities in versions ...

CVE-2026-34934

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the getalluserthreads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via updatethread. When the application loads the thread list, t...

CVE-2026-23463

A flaw was found in the Linux kernel, specifically within the soc: fsl: qbman component. This vulnerability is caused by a race condition that occurs when managing Frequency Queue Identifiers FQIDs. If exploited, this race condition can lead to a system crash, resulting in a Denial of Service DoS...

Focalboard doesn't sanitize category IDs before incorporating them into dynamic SQL statements

UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitiz...

GHSA-P32Q-V29X-WQ9R Focalboard doesn't sanitize category IDs before incorporating them into dynamic SQL statements

UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitiz...