CVE-2026-41732

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

Advance Post Prefix WordPress plugin - Reflected XSS

Advance Post Prefix WordPress plugin through 1.1.1 contains a reflected cross-site scripting caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12734 info: name: Advance...

Traefik - Open Redirect

Traefik before 1.7.26, 2.2.8, and 2.3.0-rc3 contains an open redirect vulnerability in the X-Forwarded-Prefix header. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2020-15129 info: name:...

CVE-2026-50127

CVE-2026-50127 affects Weblate (versions 5.15 up to, but not including, 2026.6). The VCS_RESTRICT_PRIVATE check did not properly account for certain transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, allowing some addresses to bypass private-range restrictions. The i...

CVE-2026-50127 Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCSRESTRICTPRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions...

CVE-2026-50569

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeU...

CVE-2026-50569

The CVE concerns Fission (Kubernetes-native serverless framework). Before version 1.25.0, HTTPTriggerSpec.Validate() checked Methods, FunctionReference, Host, IngressConfig, and CorsConfig but silently skipped RelativeURL and Prefix; these fields were only validated at the CLI. As a result, an HT...

CVE-2026-50569 Fission: HTTPTrigger admission omits RelativeURL / Prefix validation; kubectl apply bypasses CLI checks

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeU...

EUVD-2026-36072

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefixpath,...

CVE-2026-50568

Fission (Kubernetes-native serverless framework) has a lexical path check vulnerability in SanitizeFilePath (pkg/utils/utils.go) that used strings.HasPrefix(path, safedir) instead of a directory-boundary check. This allowed a sibling directory escape (e.g., /packages-extra/evil under /packages) t...

CVE-2026-49738

The path allowance check in GeneralUtility::isAllowedAbsPath performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator...

EUVD-2026-35909

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

CVE-2026-41732

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

PT-2026-48514

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeU...

Erlang/OTP -- SFTP READLINK discloses server filesystem paths

https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh reports: The SSH SFTP daemon's handling of SSHFXPREADLINK returned symbolic link targets containing the server's absolute filesystem path, disclosing the backend root prefix to clients. The handler now strips the backend root...

MGASA-2026-0182 Updated ruby-net-ssh packages fix security vulnerabilities

This update fixes CVE-2023-48795: Prefix Truncation Attacks in SSH Specification Terrapin Attack , for ruby-net-ssh...

Updated ruby-net-ssh packages fix security vulnerabilities

This update fixes CVE-2023-48795: Prefix Truncation Attacks in SSH Specification Terrapin Attack , for ruby-net-ssh...

CVE-2026-11793

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can...

CVE-2026-49738 TYPO3 CMS - Broken Access Control in File Abstraction Layer

The path allowance check in GeneralUtility::isAllowedAbsPath performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator...

CVE-2026-41844

The CVE-2026-41844 entry concerns Spring Framework components Spring MVC and Spring WebFlux. Affected are Spring Framework versions 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; and 5.3.0–5.3.48. Description: when an application configures a mapping for "/**" and the view name is not explicitly specif...