CVE-2026-23433

In the Linux kernel, the following vulnerability has been resolved: armmpam: Fix null pointer dereference when restoring bandwidth counters When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpamrestorembwustate calls rismsmonread via ipi to restore the...

MAL-2026-2470 Malicious code in strapi-plugin-monitor (npm)

strapi-plugin-monitor is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...

Use After Free

Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the powerMonitor function. An attacker can cause memory corruption or application crashes by triggering...

Use After Free

Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the powerMonitor function. An attacker can cause memory corruption or application crashes...

GHSA-JJP3-MQ3X-295M Electron: Use-after-free in PowerMonitor on Windows and macOS

Impact Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources a message window on Windows, a shutdown handler on macOS retain dangling references. A subsequent session-change event...

PT-2026-30000

Impact Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources a message window on Windows, a shutdown handler on macOS retain dangling references. A subsequent session-change event...

Malicious Package

Overview strapi-plugin-monitor is a malicious package. This package contains malicious code that conceals a command-and-control agent and credential harvester. A malicious actor published a coordinated campaign of thirty-six packages disguised as community Strapi CMS plugins. These packages aren'...

CVE-2026-31935

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4...

CVE-2025-67805

A non-default configuration in Sage DPW 202506004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Clou...

CVE-2026-3356

The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows unauthorized users to access and manipulate its management interface. Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a...

EUVD-2025-209164

A non-default configuration in Sage DPW 202506004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Clou...

CVE-2026-4267

The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$SERVER'REQUESTURI'’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2025-67805

A non-default configuration in Sage DPW 202506004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Clou...

CVE-2026-3881

The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks...

WordPress Query Monitor plugin <= 3.20.3 - Reflected Cross-Site Scripting via Request URI vulnerability

Reflected Cross-Site Scripting via Request URI vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Query Monitor versions = 3.20.3...

CVE-2026-5259

A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the component Alarm Preview. Executing a manipulation can lead to...

WordPress Performance Monitor plugin <= 1.0.6 - Unauthenticated Blind SSRF vulnerability

Unauthenticated Blind SSRF vulnerability discovered by Afshin Shekaari in WordPress Plugin Performance Monitor versions = 1.0.6...

OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade

Summary When only a route-level group allowlist was configured, sender policy resolution silently downgraded from allowlist to open instead of preserving the configured group policy. Impact Any member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the...

CVE-2025-67805

A non-default configuration in Sage DPW 202506004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Clou...

PT-2026-29528

A non-default configuration in Sage DPW 2025 06 004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW...