Linux Distros Unpatched Vulnerability : CVE-2026-31486

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - hwmon: pmbus/core Protect regulator operations with mutex The regulator operations pmbusregulatorgetvoltage, pmbusregulatorsetvoltage, and...

CVE-2026-40871

CVE-2026-40871 affects the mailcow: dockerized project. Versions prior to 2026-03b are vulnerable to a second-order SQL injection in the quarantine_category field exposed via the Mailcow API, specifically at the /api/v1/add/mailbox endpoint. The input is stored without validation and later used b...

CVE-2026-40871 mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API

mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantinecategory field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantinecategory without validation or sanitizatio...

Unity Linux 20.1050e / 20.1060e Security Update: kernel (UTSA-2026-011338)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011338 advisory. In the Linux kernel, the following vulnerability has been resolved: net: fix stack overflow when LRO is disabled for virtual interfaces When the virtual interface's...

CVE-2026-40282

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript into the Intercorrências notification page, which is executed when user access the the page, enabling sessio...

WordPress Notification for Telegram plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Notification for Telegram versions = 3.5...

CVE-2026-6615

creationtimestamp| type| source ---|---|--- 2026-04-20 09:17:22+00:00| seen| Telegram/Lm9dzPhVRFRRMgyzsUGG1X5A2Qj2Q71JCDe8XQUe2-0mpLw 2026-04-20 09:17:32+00:00| published-proof-of-concept| Telegram/dHZAiReHh3JiUrfgQPfNqqAXuvlx8Y00v-wmqaVYIp72jk...

Temporal UI State Inconsistency in Desktop GUI Agents: Formalizing and Defending against TOCTOU Attacks on Computer-Use Agents

GUI agents that control desktop computers via screenshot-and-click loops introduce a new class of vulnerability: the observation-to-action gap mean 6.51 s on real OSWorld workloads creates a Time-Of-Check, Time-Of-Use TOCTOU window during which an unprivileged attacker can manipulate the UI state...

PT-2026-33640

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2026-03b Description A second-order SQL injection exists in the Mailcow API. The endpoint '/api/v1/add/mailbox' stores the quarantine category variable without proper validation or sanitization. This value...

A Novel Quantum Augmented Framework to Improve Microgrid Cybersecurity

Small modular nuclear reactors SMRs are redefining the energy generation landscape by enabling the deployment of modular, scalable, and pre-built power units that can be used to build distributed autonomous microgrids for critical infrastructure and burgeoning AI factories. Often, these microgrid...

OESA-2026-1932 cups security update

CUPS is the standards-based, open source printing system developed by Apple Inc. for UNIX®-like operating systems. CUPS uses the Internet Printing Protocol IPP to support printing to local and network printers. Security Fixes: OpenPrinting CUPS is an open source printing system for Linux and othe...

[SECURITY] Fedora 44 Update: kf6-knotifications-6.25.0-1.fc44

KDE Frameworks 6 Tier 3 solution with abstraction for system notifications...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the handler for creating or updating Traffic Influence Subscriptions due to improper validation of the influenceId path segment. An attacker can create or overwrite arbitrary Traffic Influence Subscriptions,...

CVE-2026-40249 free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/subsId does not return after request body retrieval or deserialization...

CVE-2026-40249 free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/policy-data/subs-to-notify/subsId does not return after request body retrieval or deserialization...

CVE-2026-40248

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404...

SUSE CVE-2026-3392

A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function evaltree of the file src/lilyemitter.c. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been made available to the public and could ...

CVE-2026-3551 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

CVE-2026-3551

The CVE-2026-3551 issue affects the WordPress plugin Custom New User Notification (versions up to 1.2.0). It is a Stored XSS due to insufficient input sanitization and output escaping in multiple admin settings fields (e.g., User Mail Subject, User From Name/Email, Admin Mail Subject, Admin From ...

WordPress Custom New User Notification plugin <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'User Mail Subject' Setting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Custom New User Notification versions = 1.2.0...