CVE-2026-52778

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator CalcField.php of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passin...

Security Bulletin: A vulnerability in the Axios package affects IBM® Db2® Big SQL on IBM Cloud Pak for Data.

Summary Security Bulletin: A vulnerability in the Axios package affects IBM® Db2® Big SQL 8 and earlier on IBM Cloud Pak for Data 5.3.1 and earlier. Vulnerability Details CVEID:CVE-2026-25639 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 a...

Security Bulletin: A vulnerability in package Lodash affects IBM® Db2® Big SQL on IBM Cloud Pak for Data.

Summary A vulnerability in OpenSSL affects IBM® Db2® Big SQL 8 and earlier on IBM Cloud Pak for Data 5.3.1 and earlier. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacke...

SUSE-SU-2026:1858-1 Security update for the Linux Kernel RT (Live Patch 4 for SUSE Linux Enterprise 15 SP7)

This update for the SUSE Linux Enterprise Kernel 6.4.0-150700.7.16 fixes one security issue The following security issue was fixed: - CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags bsc1264459...

CVE-2026-41496

CVE-2026-41496 affects PraisonAI’s multi‑agent system where 9 conversation backends (MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB) pass table_prefix directly into SQL, enabling unvalidated injection points (52 total). Root cause mirrors CVE-2026-40315 ...

CVE-2026-42285 GoBGP: Panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference)

GoBGP is an open source Border Gateway Protocol BGP implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent...

CVE-2026-42285

GoBGP is an open source Border Gateway Protocol BGP implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent...

GHSA-3888-Q23F-X7QH October CMS has Safe Mode Bypass via CSS Preprocessor Compilers

A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even...

CVE-2026-25726

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now.UnixNano to generate critical security secrets, including the secretkey, and hashidsalt. These secrets are generated...

PT-2026-29784

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the searchCustomPages method in phpmyfaq/src/phpMyFAQ/Search.php uses real escape string via escape to sanitize the search term before embedding it in LIKE clauses. However, real escape string does not escape SQL LIKE...

SUSE CVE-2026-29192

ZITADEL is an open source identity management platform. From version 4.0.0 to 4.11.1, a vulnerability in Zitadel's login V2 interface was discovered that allowed a possible account takeover via Default URI Redirect. This issue has been patched in version 4.12.0...

PT-2026-27471

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP PROXY and HTTPS PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied sear...

EUVD-2026-8826

Fleet: Device lock PIN can be predicted if lock time is known...

EUVD-2026-5207

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories Name &...

CVE-2026-24665 Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) via Student Assignment Upload

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting XSS vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors vie...

CVE-2026-24664

Open eClass (formerly GUnet eClass) is affected prior to version 4.2 by a username enumeration issue where unauthenticated attackers can determine valid accounts by observing differences in login responses. The vulnerability specifically involves the login workflow, including the /login endpoint,...

CVE-2026-24398

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate...

SUSE SLES15 Security Update : kernel (Live Patch 4 for SUSE Linux Enterprise 15 SP7) (SUSE-SU-2026:0209-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0209-1 advisory. This update for the SUSE Linux Enterprise kernel 6.4.0-150700.53.16 fixes various security issues The following security issues were fixed: -...

CVE-2022-38463

ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS in the logout functionality...

CVE-2025-66029 Open OnDemand affected by Apache proxy passing sensitive headers

Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting users connect to...