CVE-2026-44849 Portainer: Endpoint security bypass via Swarm service create/update

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that...

GHSA-2XF4-CG6J-VHGQ symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form

Description symfony/polyfill-intl-idn provides a userland implementation of idntoutf8 and idntoascii for runtimes that lack the intl extension. Its Idn::process method decodes labels prefixed with xn-- using Punycode but never enforces the validity criterion added in UTS 46 revision 33 Section 4...

CVE-2026-44594

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

CVE-2026-44594 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

CVE-2026-44594

CVE-2026-44594 describes a Local File Inclusion (LFI) in esm.sh’s esbuild plugin handling of the browser field in package.json. The vulnerability allows an attacker to publish a crafted npm package that, during the build, causes the server to read and return arbitrary files from the host filesyst...

CVE-2026-46223

A flaw was found in the Linux kernel's cgroup subsystem. This vulnerability occurs during the rmdir operation when the process initiating the rmdir is also responsible for cleaning up zombie processes that are holding onto process namespace pidns resources. This specific scenario can lead to a...

UBUNTU-CVE-2026-46206

In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject new tpmeter sessions during teardown Prevent tpmeter from starting new sender or receiver sessions after meshstate has left BATADVMESHACTIVE...

CVE-2026-45862

A flaw was found in the Linux kernel's IOMMU Input/Output Memory Management Unit virtualized directed I/O VT-d component. When a freshly allocated PASID Process Address Space ID table is written to a directory entry, the CPU cache flush for this table occurs too late. This creates a time window...

SUSE CVE-2026-45894

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down PASID entry The Intel VT-d Scalable Mode PASID table entry consists of 512 bits 64 bytes. When tearing down an entry, the current implementation zeros the entire 64-byte structure...

CVE-2026-45937

A flaw was found in the Linux kernel's inside-secure/eip93 cryptographic driver. This vulnerability occurs during the driver detachment process, where a programming error leads to the same hash algorithm being unregistered multiple times. This issue can cause a kernel panic, resulting in a Denial...

CVE-2026-45945

A flaw was found in the Linux kernel's Intel VT-d Virtualization Technology for Directed I/O implementation. A race condition occurs during the replacement of an active PASID Process Address Space ID entry. This can lead to the IOMMU Input/Output Memory Management Unit hardware reading an...

Malicious code in @cloudplatform-single-spa/svp-draas (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @cloudplatform-single-spa/dataplatform-metastore (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

WordPress plugin WP Contact Form 7 DB Handler 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

MAL-2026-4870 Malicious code in @car-loans/general-analytics (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

MAL-2026-5014 Malicious code in @mlspace/dtransfer-history (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

MAL-2026-4998 Malicious code in @cloudplatform-single-spa/virtual-machines (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @cloudplatform-single-spa/ml-inference-comfy-run (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Malicious code in @cloudplatform-single-spa/profile (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

PT-2026-44566

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 148.0.7778.216 Description An inappropriate implementation in the input handling allows a remote attacker who has compromised the renderer process to bypass site isolation by using a crafted HTML page...