Updated vim packages fix security vulnerabilities

Ex command injection in Vims NetBeans integration. CVE-2026-39881 Command injection via backtick expansion in tag filenames in Vim v9.2.0357. CVE-2026-41411 OS Command Injection in netrw affects Vim 9.2.0383. CVE-2026-42307 OS Command Injection via 'path' completion affects Vim 9.2.0435...

MGASA-2026-0123 Updated vim packages fix security vulnerabilities

Ex command injection in Vims NetBeans integration. CVE-2026-39881 Command injection via backtick expansion in tag filenames in Vim v9.2.0357. CVE-2026-41411 OS Command Injection in netrw affects Vim 9.2.0383. CVE-2026-42307 OS Command Injection via 'path' completion affects Vim 9.2.0435...

CVE-2026-42560

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...

CVE-2026-7652

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

EUVD-2026-28881

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

VMware Spring AI 安全漏洞

VMware Spring AI is a development framework from VMware that integrates artificial intelligence and big language modeling capabilities in the Spring ecosystem. A security vulnerability exists in VMware Spring AI versions 1.0.0 through 1.0.7 prior and 1.1.0 through 1.1.6 prior, which stems from...

CVE-2026-41432

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

[SECURITY] Fedora 42 Update: proftpd-1.3.9a-1.fc42

ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based...

GHSA-25RP-H46X-2HJM SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)

Summary The tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in...

SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE

Summary The kernel stores Attribute View AV / database names without any HTML escape, then a render template uses raw strings.ReplaceAlltpl, "$avName", nodeAvName to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths render.ts:120 → outerHTML,...

GHSA-2H64-C999-C9R6 SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE

Summary The kernel stores Attribute View AV / database names without any HTML escape, then a render template uses raw strings.ReplaceAlltpl, "$avName", nodeAvName to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths render.ts:120 → outerHTML,...

CVE-2026-43402

Summary: CVE-2026-43402 affects the Linux kernel where kthread exit paths were consolidated to prevent a use-after-free in the kthread/pid data cleanup, after crashes traced to corrupted RCU function pointers during KUnit tests. The root cause involves a pid hashtable conversion changing structur...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to Directory Traversal due to plexus-utils (CVE-2025-67030)

Summary IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit are vulnerable to Directory Traversal due to plexus-utils. Vulnerability Details CVEID:CVE-2025-67030 DESCRIPTION: Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in...

Spying across Chiplets: Side-Channel Attacks in 2.5/3D Integrated Systems

Advanced packaging and chiplet-based integration are increasingly adopted to build complex heterogeneous systems beyond the limits of monolithic scaling. While these architectures offer major benefits in terms of modularity, yield, and performance, they also introduce new physical attack surfaces...

CVE-2026-33811 Crash when handling long CNAME response in net

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)

Last week, there were 87 vulnerabilities disclosed in 198 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities ...

CVE-2026-41644

monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs...

CVE-2026-25468

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Happy Addons for Elementor: from n/a through 3.20.8...