CVE-2026-42449 n8n-MCP: IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path N8NDocumentationMCPServer constructor, getN8nApiClient, and validateInstanceContext, the synchronous URL validator in...

CVE-2026-42449

Summary: CVE-2026-42449 affects n8n-mcp SDK embedder paths where SSRF protection (SSRFProtection.validateUrlSync) fails to validate IPv4-mapped IPv6 addresses, enabling an attacker-controlled n8nApiUrl to cause the server to make HTTP requests to internal networks, cloud metadata endpoints, or lo...

kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

CLSA-2026-1778142360 jq: Fix of 2 CVEs

CVE-2026-33947: limit path depth in jvsetpath, jvgetpath, and jvdelpaths to prevent stack overflow from deep path arrays - CVE-2026-33948: remove strlen-based length calculation that truncated JSON input at embedded NUL bytes, preventing parser-differential attacks...

APEI/GHES: ARM processor Error: don't go past allocated memory

...

throttlestop-poc

throttlestop-poc This is a simple Proof-of-Concept that abuses...

CLSA-2026-1778130778 tomcat: Fix of 2 CVEs

CVE-2025-48988: limit number and header size of multipart parts - CVE-2025-52520: use Math.addExact and long postSize to prevent overflow bypass of maxPostSize during multipart upload...

Cyber Insurance Requirements for Cybersecurity

Cyber Insurance Requirements for Cybersecurity Cyber insurance requirements cybersecurity teams face today are stricter than they were even a few years ago. Underwriters no longer accept a simple security questionnaire and a list of tools. They want evidence that your organization can identify...

CVE-2026-41656

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

CLSA-2026-1778127227 pcp: Fix of 2 CVEs

CVE-2024-45770: guard pmpost against symlink attacks on $PCPLOGDIR/NOTICES - CVE-2024-45769: harden libpcp pmDecodeValueSet to prevent heap corruption from crafted PDUs...

EUVD-2026-28292

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are pass...

CVE-2026-41656

CVE-2026-41656 (Admidio) : Prior to 5.0.9, the add mode of modules/documents-files.php accepts a name parameter with only string-based HTML encoding validation, allowing path traversal (../) and, combined with absent CSRF protection and SameSite=Lax cookies, enables a low-privilege attacker to tr...

CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

SUSE CVE-2026-43103

In the Linux kernel, the following vulnerability has been resolved: net: lapbether: handle NETDEVPRETYPECHANGE lapbethdatatransmit expects the underlying device type to be ARPHRDETHER. Returning NOTIFYBAD from lapbethdeviceevent makes sure bonding driver can not break this expectation...

SUSE CVE-2026-43210

In the Linux kernel, the following vulnerability has been resolved: tracing: ring-buffer: Fix to check event length before using Check the event length before adding it for accessing next index in rbreaddatabuffer. Since this function is used for validating possibly broken ring buffers, the lengt...

SUSE CVE-2026-43249

In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen9pfsfrontfree against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen9pfsfrontfree twice, hitting the observed general protection fault due to a double-free...

CLSA-2026-1778112033 avahi: Fix of CVE-2026-24401

CVE-2026-24401: fix avahi-daemon crash on receipt of unsolicited mDNS responses containing self-referencing CNAME records by detecting CNAME loops in lookuphandlecname to prevent uncontrolled recursion and stack exhaustion; also includes two related DoS fixes in the same lookup path from upstream...

Linux Distros Unpatched Vulnerability : CVE-2026-43214

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - KVM: x86: Add SRCU protection for reading PDPTRs in getsregs2 Add SRCU read-side protection when reading PDPTR registers in getsregs2. Reading PDPTRs may trigge...

misp-modules website - Missing CSRF protection in the website home blueprint

A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of sessi...