CVE-2026-8647

CVE-2026-8647 affects Crypt::ScryptKDF for Perl up to version 0.010. When no CSPRNG module is available, the random_bytes path falls back to Perl's built-in rand(), enabling insecure randomness in key derivation. The issue arises if Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random,...

EUVD-2025-209945

SailingLab AppLock aka com.alpha.applock 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through...

EUVD-2025-209947

Easyelife App lock aka Fingerprint,Applock or locker.app.safe.applocker 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows -...

CVE-2025-68711

AppLockZ App Lock and Fingerprint Lock applock.passwordfingerprint.applockz 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface...

CVE-2026-44776

Kavita (cross‑platform reading server) prior to 0.9.0 did not enforce library‑level authorization for several download and metadata endpoints, allowing a low‑privileged user who knows a chapterId/volumeId/seriesId to access unrelated library content. Affected endpoints include /api/Download/volum...

CVE-2026-2264

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

EUVD-2026-31878

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set...

EUVD-2026-31865

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

CVE-2026-2264

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

CVE-2026-2264

CVE-2026-2264 describes a vulnerability in Google Cloud Apigee SetIntegrationRequest policy enabling remote SSRF and exfiltration of service account tokens. Exploitation required an insecure API proxy configuration; CVSS metrics indicate network access with low complexity, no privileges, and high...

CVE-2026-2264 Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

CVE-2026-2264 Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

CVE-2026-38587

An Insecure Direct Object Reference IDOR vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions User or Guest to retrieve sensitive information, such as the Owner's unique...

[SECURITY] [DSA 6297-1] samba security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6297-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso May 26, 2026 https://www.debian.org/security/faq -...

Security update for samba

This update for samba fixes the following issues CVE-2026-2340: vfsworm does not block directory modification bsc1261158. CVE-2026-3012: group policy certificate enrollment uses http: // without validation bsc1261159. CVE-2026-3238: unauthenticated udp packet crashes AD DC nbt server bsc1261160...

CVE-2026-44468

The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary...

CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

More info at https://symfony.com/cve-2026-46644...

CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

More info at https://symfony.com/cve-2026-46644...

CVE-2026-46644

insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels...

EUVD-2026-31797

The affected product extracts installation files to a temporary directory with incorrect default permissions during administrative installation. A low-privileged local attacker can exploit a TOCTOU race condition with a practical time window to replace verified files with malicious ones before...