CVE-2026-56346

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...

EUVD-2026-38133

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...

CVE-2026-56346

CVE-2026-56346 affects AVideo up to version 25.0, with an authentication bypass in the decryptMessage.json.php endpoint that lets unauthenticated users decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to trigger server-side decryption without credentials...

Security Bulletin: OpenSSH client bug (CVE-2016-0777 and CVE-2016-0778)

Question Security Bulletin: OpenSSH client bug CVE-2016-0777 and CVE-2016-0778 "Business Unit":"code":"BU059","label":"IBM Software w/o TPS","Product":"code":"SS8NDZ","label":"IBM Aspera","Component":"","Platform":"code":"PF025","label":"Platform Independent","Version":"All...

CVE-2026-50267 Steeltoe: TLS private keys written to /tmp with default permissions, never deleted

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from VCAPSERVICES include TLS client credentials, the Connectors libra...

EUVD-2026-36790

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request...

CVE-2026-50892

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request...

CVE-2026-50892

CVE-2026-50892 affects Nginx Proxy Manager v2.14.0. The root cause is improper access control on the Let’s Encrypt certificate download endpoint, allowing authenticated attackers to obtain TLS private key material via a crafted GET request. The impact is limited to confidentiality, with the CVSS ...

PT-2026-49333

Name of the Vulnerable Software and Affected Versions Nginx Proxy Manager version 2.14.0 Description Incorrect access control in the "Let's Encrypt" certificate download endpoint allows authenticated attackers to obtain TLS private key material by sending a crafted GET request. Recommendations At...

GHSA-VC8P-8PXG-RFWG ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing

Summary The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to Int values or allocating arrays. A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger tha...

Malicious code in trongapy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0fa840452c4774ec07d74bbed23fbe1c848a2d83303df3f028e73af31045b495 The package's only public function, permprivatekey in trongapy/main.py, unconditionally POSTs the caller-supplied Tron private key as JSON to a...

PT-2026-48603

internal/pki/resolver.go:36-64 constructs a CAManager with the plaintext ed25519.PrivateKey after unwrapping via the master key; internal/pki/ca.go:13-16 stores it. Callers at internal/api/enroll.go:116, internal/api/updates.go:297, and internal/api/mobile bundle.go:40 use the manager for one Sig...

ALPINE-CVE-2026-34181

Issue Summary: The PKCS12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 PBMAC1 integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service...

CVE-2026-34181 PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys

Issue Summary: The PKCS12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 PBMAC1 integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service...

CVE-2026-34181

Issue Summary: The PKCS12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 PBMAC1 integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service...

CVE-2026-32644

Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys...

CVE-2026-9133

Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme arn:aws-debug:file accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the...

CVE-2026-8606

A Server-Side Request Forgery SSRF vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and...

PT-2026-46989

Summary Omni supports importing standalone Talos clusters. During this process, an ImportedClusterSecrets resource is created, which contains the full CA secrets bundle for the cluster being imported. If these secrets are not rotated by the importing actor, an authenticated Omni user with Reader...

kernel: Read root-owned files as an unprivileged user

A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully...