CVE-2026-6566 Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

NVIDIA BioNeMo 代码问题漏洞

NVIDIA BioNeMo is a generative AI model development and training platform for the biomedical field developed by NVIDIA Corporation in the United States. NVIDIA BioNeMo has code vulnerabilities, which stem from insecure data deserialization. These vulnerabilities may lead to code execution, denial...

PT-2026-42144

HCL BigFix Service Management SM is susceptible to a Configuration – 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment...

NVIDIA TRT-LLM 代码问题漏洞

NVIDIA TRT-LM is a high-performance inference framework developed by NVIDIA Corporation for optimizing the inference acceleration and deployment of large language models. NVIDIA TRT-LM has code-related vulnerabilities, which stem from insecure deserialization in the MPI server. These...

PT-2026-42270

Name of the Vulnerable Software and Affected Versions Crypt::SaltedHash versions prior to 0.10 Description Crypt::SaltedHash for Perl generates insecure random values for salts because it utilizes the built-in rand function, which is predictable and unsuitable for cryptographic purposes...

PT-2026-42189

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid...

PT-2026-42225

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy CSP and a publicly reachable...

perl-Crypt-SaltedHash 安全特征问题漏洞

perl-Crypt-SaltedHash is a Perl password hashing tool developed by Robert Rothenberg. Versions of perl-Crypt-SaltedHash prior to 0.09 contained security vulnerabilities. These vulnerabilities stemmed from the use of the built-in rand function to generate insecure random salt values. This function...

NVIDIA TRT-LLM 代码问题漏洞

NVIDIA TRT-LM is a high-performance inference framework developed by NVIDIA Corporation for optimizing the inference acceleration and deployment of large language models. NVIDIA TRT-LM has code-related vulnerabilities, which stem from insecure deserialization during RPC tests. These vulnerabiliti...

NVIDIA TRT-LLM 代码问题漏洞

NVIDIA TRT-LM is a high-performance inference framework developed by NVIDIA Corporation for optimizing the inference acceleration and deployment of large language models. NVIDIA TRT-LM has code-related vulnerabilities, including deserialization vulnerabilities and insecure serialization handles,...

PT-2026-42112

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

CVE-2026-34234

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer public/installer/index.php is vulnerable to unauthenticated Remote Code Execution RCE because it performs the install.lock check only after including and executing form handler...

vim: arbitrary command execution via modeline sandbox bypass

A flaw was found in Vim. A modeline is used to set specific editor options directly from a text file. However, the complete, guitabtooltip, printheader options and the mapset function lack proper security checks, allowing an attacker to bypass restrictions and cause arbitrary OS command execution...

APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

GHSA-9CFW-F3F9-7MM7 APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

Important: Red Hat Security Advisory: python3.14 security update

An update for python3.14 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fro...

CVE-2026-31072

A flaw was found in APScheduler, affecting its JSONSerializer and CBORSerializer components. This vulnerability, known as insecure deserialization, allows a remote attacker to execute arbitrary code on the system. By sending a specially crafted data payload, an attacker can manipulate the...

WordPress Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Image Deletion vulnerability discovered by Bao Luu Gia Nguyen in WordPress Plugin NextGEN Gallery versions = 4.2.0...

DEBIAN-CVE-2026-31072

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

CVE-2026-31072

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...