CVE-2026-41837 Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14;...

CVE-2026-46657

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

Malicious code in hey-base32 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517 The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point bin/hey-base32.js starts a remote-access tunnel on...

CVE-2026-49948

CVE-2026-49948 affects Mem0 versions up to 0.2.8 (fixed in commit ae7f406) where the self-hosted server’s POST /configure endpoint can modify global LLM provider and embedder configuration without validating the caller’s role. Authentication via JWT or distributed API key is insufficient, allowin...

MAL-2026-5383 Malicious code in @doaction/wasm-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 118555cc138d5dbc40c11c385af69fa4c6c5caa2fc05e6b0b49c65cc69491a78 Package name and description advertise a 'WASM loader,' but the tarball ships no WebAssembly code. Instead, package.json declares "preinstall": "node...

Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Impact Puma is vulnerable to source IP spoofing when setremoteaddress proxyprotocol: :v1 is enabled and persistent connections are used. PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, befo...

GHSA-2VQW-3MP8-CGMX Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Impact Puma is vulnerable to source IP spoofing when setremoteaddress proxyprotocol: :v1 is enabled and persistent connections are used. PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, befo...

PT-2026-47626

Impact Puma is vulnerable to source IP spoofing when set remote address proxy protocol: :v1 is enabled and persistent connections are used. PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection,...

TYPO3 CMS 代码问题漏洞

TYPO3 CMS is a content management system developed under the TYPO3 open source framework. Code vulnerabilities existed in versions prior to TYPO3 CMS 10.4.57, as well as in versions 11.0.0 to 11.5.51, 12.0.0 to 12.4.46, 13.0.0 to 13.4.31, and 14.0.0 to 14.3.3. These vulnerabilities stemmed from...

UBUNTU-CVE-2026-11611

A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during...

CVE-2026-11611

CVE-2026-11611 concerns the Content Synchronization persistent search plugin in 389 Directory Server. The flaw enables denial of service via unbounded memory growth when an authenticated client stops reading sync responses, and there are additional race conditions in the plugin thread lifecycle t...

CVE-2026-46657

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

CVE-2026-46657

Bludit CMS prior to 3.22.0 has a vulnerability in user management: when an administrator disables a user, tokenAuth and tokenRemember in the JSON database are not invalidated. As a result, users with an existing Remember Me cookie can bypass disablement and remain authenticated. This issue impact...

EUVD-2026-35085

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

CVE-2023-54352 WordPress Seotheme Remote Code Execution Unauthenticated

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands...

PT-2026-47234

Name of the Vulnerable Software and Affected Versions Seotheme affected versions not specified Description An issue in the WordPress Seotheme allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP...

Medium: device-mapper-persistent-data

Issue Overview: An unsoundness issue RUSTSEC-2026-0097 was found in the bundled Rust rand crate used by device-mapper-persistent-data. ThreadRng methods use unsafe code that can create aliased mutable references when a custom logger accesses rand::rng or rand::threadrng during reseeding, resultin...

PT-2026-47329

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

389 Directory Server 资源管理错误漏洞

389 Directory Server is an open-source implementation of a highly available, fully functional, reliable, and secure LDAP server. There is a resource management vulnerability in 389 Directory Server, which stems from the Content Synchronization persistent search plugin allowing unlimited memory...

Bludit 安全漏洞

Bludit is an open-source, lightweight blog content management system developed by Bludit. Versions of Bludit prior to 3.22.0 contained security vulnerabilities. These vulnerabilities stemmed from a flaw in the user management logic: when accounts were disabled, persistent authentication tokens we...