CVE-2026-7737 osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds

A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated...

Prefect SSRF Bypass via DNS Rebinding in validate_restricted_url

A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validaterestrictedurl of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is...

CVE-2026-7724

A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validaterestrictedurl of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is...

PT-2026-36754

Name of the Vulnerable Software and Affected Versions PrefectHQ prefect versions prior to 3.6.28.dev2 Description A time-of-check time-of-use TOCTOU issue exists in the validate restricted url function of the Webhook/Notification component. This flaw allows a remote attacker to manipulate the...

Prefect 竞争条件问题漏洞

Prefect is a workflow orchestration tool developed by Prefect OpenSource, enabling developers to build, monitor data pipelines, and respond to changes in those pipelines. Prefect versions 3.6.28.dev1 and earlier contained a race condition vulnerability. This vulnerability stemmed from a problem...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: Wifi: ath12k – Prevent sending WMI commands to firmware during a firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This occurs because the host sends WMI commands to the...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: nexthop: Memory leaks in the nexthop notification chain listeners have been fixed. Syzkaller identified memory leaks 1 that can be addressed by executing the following commands: ip nexthop add id 1 blackhole devlink dev reload...

CVE-2026-7628

A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The...

Exploit for Missing Authentication for Critical Function in Cpanel

CVE-2026-41940 – cPanel/WHM Auth Bypass + Root Password Changer...

WordPress WP Notification Bell plugin <= 1.4.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Notification Bell versions = 1.4.2...

PT-2026-36260

A flaw has been found in Open5GS up to 2.7.7. This issue affects the function amf namf callback handle sdm data change notify of the file /namf-callback/v1/id/sdmsubscription-notify of the component AMF SBI Endpoint. This manipulation of the argument changeItem.newValue causes denial of service...

Important: cups

Issue Overview: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri e.g., rss:///../job.cache, letting a remote IPP client write RSS XML bytes outside...

GHSA-537J-GQPC-P7FQ n8n Vulnerable to XSS via MCP OAuth client

Impact An unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute...

n8n Vulnerable to XSS via MCP OAuth client

Impact An unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute...

OPENSUSE-SU-2026:20654-1 Security update for grafana

This update for grafana fixes the following issues: Changes in grafana: - Update to version 11.6.11: Features and enhancements: Alerting: Add limits for the size of expanded notification templates Correlations: Remove support for orgid=0 Security: CVE-2026-21722: Public dashboards annotations: us...

CVE-2026-40229

Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML...

PT-2026-35950

Name of the Vulnerable Software and Affected Versions Helpy version 2.8.0 Description A stored cross-site scripting issue exists in the post author display logic. A registered user can persist arbitrary HTML in the account name field, which is then rendered unescaped in public forum threads, the...

A week in security (April 20 &#8211; April 26)

Last week on Malwarebytes Labs: Medical data of 500,000 UK volunteers listed for sale on Alibaba How cyberattacks on companies affect everyone Apple fixes iOS bug that kept deleted notifications, including chat previews Roblox clamps down on chats and age checks as legal pressure builds Malicious...

PT-2026-35202

A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The...

MAL-2026-3078 Malicious code in axis-notification (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 341ed22195f4a5533e72c654980bb1eecb5d0fb91c70a5132ca728978d68de54 The package axis-notification was found to contain malicious code. Source: ghsa-malware...