CVE-2025-69727

An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components index.js and composeUrlImgPhotoIndividu allow the construction of direct URLs to user profile images based solely on predictable identifiers such as user IDs and names. Due to...

Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2026-1397)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

OpenClaw's Zalouser allowlist authorization matched mutable group names by default

Summary OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be...

GHSA-F5MF-3R52-R83W OpenClaw's Zalouser allowlist authorization matched mutable group names by default

Summary OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be...

EUVD-2026-11696

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint...

CLSA-2026-1770214396 Update of microcode_ctl

Update Intel CPU microcode to 20251111: - Addition of cpuid:806F8/0x10 SPR-HBM B3 microcode in microcode.dat at revision 0x2c000410; - Addition of cpuid:806F8/0x87 SPR-SP E5/S3 microcode in microcode.dat at revision 0x2b000650; - Addition of cpuid:90672/0x07 ADL-HX/S 8+8 C0 microcode in...

Debian dla-4498 : ata-modules-5.10.0-38-armmp-di - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4498 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4498-1 [email protected]...

Fedora 43 : task (2026-eb2fc8e93d)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-eb2fc8e93d advisory. Update to new release, includes updated dependencies that fix for a number of CVEs Tenable has extracted the preceding description block directly fr...

CVE-2026-32269 Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value ...

Parse Server: Account takeover via operator injection in authentication data identifier

Impact An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier e.g. anonymous authentication. By sending a crafted login request, the attacker can cause the server to perform a...

Improper Neutralization of Special Elements in Data Query Logic

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the findUsersWithAuthData function of authentication data...

Debian dsa-6164 : chromium - security update

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6164 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6164-1 [email protected]...

PT-2026-24913

The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the stickymenu contact lead form AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in $wpdb-insert. While...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.6.0-alpha.12 and 8.6.38 contain security vulnerabilities. These vulnerabilities stem from unvalidated user identifier formats,...

CVE-2026-32131

CVE-2026-32131 affects Zitadel's Management API prior to versions 3.4.8 and 4.12.2. An authenticated user with a low-privilege token (e.g., project.read, project.grant.read, or project.app.read) could retrieve management-plane information for other organizations by specifying a different tenant’s...

CVE-2026-32131 ZITADEL Cross-Tenant Information Disclosure in Management API

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token e.g., project.read, project.grant.read, or project.app.read to retrieve...

CVE-2026-31820 Sylius affected by IDOR in Cart and Checkout LiveComponents

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, arg...

CVE-2026-31820

Sylius (Open Source eCommerce on Symfony) contains an authenticated insecure direct object reference (IDOR) in multiple LiveComponents. The vulnerability stems from unvalidated resource IDs accepted via #[LiveArg] parameters, where loading with ->find() occurs without ownership checks. Affecte...

sql-injection-corpus

SQL Injection Corpus - User Guide Overview This corpus con...

MINI-H8F6-H788-8HHM

Bulletin has no description...