CVE-2026-32608 Glances has a Command Injection via Process Names in Action Command Templates

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables e.g., name, key that are populated with runtime...

CVE-2026-32596

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

CVE-2026-32606 IncusOS has a LUKS encryption bypass due to insufficient TPM policy

IncusOS is an immutable OS image dedicated to running Incus. Prior to 202603142010, the default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physical access to the machine to access the encrypted data without requiring any interaction by the...

[SECURITY] Fedora 44 Update: systemd-259.5-1.fc44

systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses sock et and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups,...

OpenClaw 访问控制错误漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that can be exploited by an attacker to cause a local process to capture a gateway authentication token...

PT-2026-26132

Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.181, 15G and 16G versions prior to 7.20.10.50 and Dell Integrated Dell Remote Access Controller 10, 17G versions prior to 1.20.25.00, contain a Process Control vulnerability. A high privileged attacker with adjacent...

Phoenix Contact多款产品 安全漏洞

PHOENIX CONTACT FL SWITCH and PHOENIX CONTACT FL NAT are products of the German company PHOENIX CONTACT. PHOENIX CONTACT FL SWITCH is an industrial-grade Ethernet switch. PHOENIX CONTACT FL NAT is a series of industrial security gateways. Several products from Phoenix Contact have security...

VulnCheck KEV: CVE-2025-43510

A memory corruption issue was addressed with improved lock state checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A malicious application may cause unexpect...

EUVD-2026-12490

Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit...

GHSA-XFHR-Q72Q-JCRJ Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit

Summary An issue has been identified in the Bedrock AgentCore Starter Toolkit versions prior to v0.1.13 that may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. Impact A remote actor could inject code during the build process,...

CVE-2026-32296

Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker's choosing, or craft a request to exhaust the system memory and terminate...

CVE-2026-32296

Sipeed NanoKVM (pre-2.3.1) exposes a Wi‑Fi configuration endpoint without proper access checks, allowing an unauthenticated attacker with network access to either change the saved Wi‑Fi network to a value of the attacker’s choosing or craft a request to exhaust memory and terminate the KVM proces...

CVE-2026-32296 Sipeed NanoKVM unauthenticated Wi-Fi configuration endpoint

Sipeed NanoKVM before 2.3.1 exposes a Wi-Fi configuration endpoint without proper security checks, allowing an unauthenticated attacker with network access to change the saved configured Wi-Fi network to one of the attacker's choosing, or craft a request to exhaust the system memory and terminate...

CVE-2026-32293

The affected device is the GL-iNet Comet (GL-RM1) KVM. During boot, it connects to a GL-iNet site to provision client and CA certificates, but it does not verify the certificates used for this connection. This enables a network attacker to perform a man-in-the-middle attack to serve invalid clien...

CVE-2026-32293 GL-iNet Comet (GL-RM1) KVM insufficient certificate validation

The GL-iNet Comet GL-RM1 KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the...

CVE-2026-32293 GL-iNet Comet (GL-RM1) KVM insufficient certificate validation

The GL-iNet Comet GL-RM1 KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the...

CVE-2026-24901 Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts

Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference IDOR vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users,...

GL-iNet Comet 安全漏洞

GL-iNet Comet is a portable, multi-functional network device developed by GL-iNet Corporation in China. There is a security vulnerability in GL-iNet Comet, which stems from the lack of certificate verification during the initialization process when connecting to the GL-iNet site. This vulnerabili...

GHSA-4W98-XF39-23GP Loop with Unreachable Exit Condition ('Infinite Loop') in ewe

Summary ewe's handletrailers function contains a bug where rejected trailer headers forbidden or undeclared cause an infinite loop. The function recurses with the original unparsed buffer instead of advancing past the rejected header, re-parsing the same header forever. Each malicious request...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the importSY, importZipMd, importSyncProviderWebDAV, importSyncProviderS3, and importConf file import processes in the kernel/api/import.go, kernel/api/sync.go, and kernel/api/system.go...