PT-2026-44829

Weak authentication between the Wireless Control Module WCM and the Engine Control Module ECM of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively...

PT-2026-44800

Name of the Vulnerable Software and Affected Versions Acer Wave 7 router affected versions not specified Description The upload.cgi binary, which processes device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, which can...

Linux Distros Unpatched Vulnerability : CVE-2026-46163

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wifi: b43legacy: enforce bounds check on firmware key index in RX path Same fix as b43: the firmware- controlled key index in b43legacyrx can exceed...

WWBN AVideo 跨站脚本漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the Live plugin’s YouTube-style view, which rendered the live stream key directly into HTML...

PT-2026-44998

Name of the Vulnerable Software and Affected Versions ExtremeCloud IQ affected versions not specified Description A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path can intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued AP...

Linux Distros Unpatched Vulnerability : CVE-2026-48526

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC...

Linux Distros Unpatched Vulnerability : CVE-2026-46122

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wifi: b43: enforce bounds check on firmware key index in b43rx The firmware-controlled key index in b43rx can exceed the dev-key array size 58 entries. The...

PT-2026-44940

Name of the Vulnerable Software and Affected Versions liboqs versions prior to 0.16.0 Description An out-of-bounds read exists in the XMSS and XMSS^MT stateful signature verification code. This occurs when the verification function is called with a signature buffer sized for the declared algorith...

Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-42508)

The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2026-42508 advisory. - Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocatio...

StrongSwan security vulnerabilities

strongSwan is an open-source VPN solution based on IPsec, developed by Andreas Steffen of Switzerland. This solution includes X.509 public key certificates, secure storage of private keys, and authentication mechanisms such as smart cards. strongSwan has security vulnerabilities, which stem from...

RockyLinux 10 : p11-kit (RLSA-2026:18143)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:18143 advisory. p11-kit: p11-kit: NULL dereference via CDeriveKey with specific NULL parameters CVE-2026-2100 Tenable has extracted the preceding description block directly fro...

RockyLinux 9 : grafana-pcp (RLSA-2026:19351)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19351 advisory. golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root CVE-2026-32282 crypto/tls: golang: Go crypto/tls: Denial of Service via...

Linux Distros Unpatched Vulnerability : CVE-2026-42789

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP publickey pubkeycert module allows a non-CA certificate to be accepted as an...

Linux Distros Unpatched Vulnerability : CVE-2026-48523

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or...

Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-39829)

The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2026-39829 advisory. - The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted...

CVE-2026-46122

A flaw was found in the Linux kernel's b43 Wi-Fi driver. A remote attacker could exploit this vulnerability by providing a specially crafted firmware key index that exceeds the allocated array size in the b43rx function. This out-of-bounds read could lead to information disclosure, potentially...

UBUNTU-CVE-2026-49130

Music Player Daemon MPD before version 0.24.11 contains a CRLF injection vulnerability in the xspfchardata function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references...

CVE-2026-46427

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as...

CVE-2026-45039

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, getsharedsecret in crates/ecstore/src/rpc/httpauth.rs, falls back to...

CVE-2026-45041

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TESTPRIVATEKEY and uses it in production via parselicense to "verify" license tokens. Because the key is embedded in every...