CVE-2026-58050

creationtimestamp| type| source ---|---|--- 2026-06-28 05:35:29+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mpdauuqzkh2o 2026-06-28 08:29:56+00:00| seen| https://bsky.app/profile/securityonline.bsky.social/post/3mpdkms5yf726...

SureForms <= 1.13.1 - Sensitive Information Exposure

SureForms WordPress plugin = 1.13.1 contains a sensitive information exposure caused by setting 'authcallback' to 'returntrue' in 'srfmemailnotification' post meta registration, letting unauthenticated attackers access sensitive email notification data, exploit requires no authentication. id:...

EUVD-2026-39949

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN callback handler...

EUVD-2026-32861

Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM...

GHSA-W879-237Q-WC7R vulnerabilities

Vulnerabilities for packages: flux-notification-controller, docker-cli-buildx, fulcio, cilium-cli, cloud-provider-aws, ko, sops, kaf, pulumi-language-dotnet, cluster-api-azure-controller, k8sgpt, age, zarf, openbao, terraform-provider-tls, gitea, gitlab-kas, ksops,...

GHSA-RM3J-F69W-WQMQ vulnerabilities

Vulnerabilities for packages: flux-notification-controller, docker-cli-buildx, fulcio, cilium-cli, cloud-provider-aws, ko, sops, kaf, pulumi-language-dotnet, crossplane-provider-aws-lambda, cluster-api-azure-controller, k8sgpt, zarf, openbao, terraform-provider-tls, gitea, gitlab-kas, ksops,...

CVE-2026-56772

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary userid values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate userid values to access...

CVE-2026-53167

In the Linux kernel, the following vulnerability has been resolved: fuse: limit FUSENOTIFYRETRIEVE to uptodate folios FUSENOTIFYRETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSENOTIFYRETRIEVE is intended to only return data that is already in...

CVE-2026-52795

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead returns 404 when the user CAN read instead o...

EUVD-2026-38955

In the Linux kernel, the following vulnerability has been resolved: net: bcmgenet: fix leaking freebds While reclaiming the tx queue we fast forward the write pointer to drop any data in flight. These dropped frames are not added back to the pool of free bds. We also need to tell the netdev that ...

CVE-2026-54324

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification...

CVE-2026-54324

CVE-2026-54324 affects Daytona API service (NestJS) used in Daytona’s notification WebSocket gateway. The cross-tenant flaw allowed any authenticated user to join another organization’s realtime channel by binding a client-supplied organization ID to the corresponding room without verifying membe...

CVE-2026-54324 Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification...

EUVD-2026-38240

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90...

CVE-2026-12888

CVE-2026-12888 describes an HTML injection vulnerability in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens. The issue allows interface manipulation by an attacker who can insert limited HTML content, including links, into the webhook payload. Affects Canarytoke...

CVE-2026-12888 HTML injection in the Canarytoken Google Chat notification

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90...

CVE-2026-41178 vulnerabilities

Vulnerabilities for packages: flux-notification-controller, helm-operator, grafana-image-renderer, cloud-provider-aws, spicedb-operator, goreleaser, k8sgpt, grafana-mimir, cadvisor, zarf, openbao, ferretdb, boring-registry, gitlab-kas, ksops, cluster-api-helm-controller, kots, azurefile-csi,...

GHSA-5WRP-CWCJ-Q835 vulnerabilities

Vulnerabilities for packages: flux-notification-controller, helm-operator, grafana-image-renderer, cloud-provider-aws, spicedb-operator, goreleaser, k8sgpt, grafana-mimir, cadvisor, zarf, openbao, ferretdb, boring-registry, gitlab-kas, ksops, cluster-api-helm-controller, kots, azurefile-csi,...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: iouring/net: Ensure that the import of the vectorized buffer node is tied to the notification. When support for vectorized registered buffers was added, the import itself uses ‘req’ instead of the notification iokiocb, sr-notif...

Astra Linux – Vulnerability in exim4

Exim 4 before 4.94.2 has an improper neutralization of line delimiters, which is relevant in non-default configurations that enable Delivery Status Notification DSN. Certain uses of ORCPT= can cause a new line to be inserted into a spool header file, thereby indirectly allowing unauthenticated...