Oracle Linux 10 : bind (ELSA-2026-8312)

The remote Oracle Linux 10 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-8312 advisory. - Prevent Denial of Service via maliciously crafted DNSSEC-validated zone CVE-2026-1519 - Fix upstream reported regression in recent CVE fix CVE-2025-8677 -...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013537)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013537 advisory. In the Linux kernel, the following vulnerability has been resolved: net/smc: use smclgrlist.lock to protect smclgrlist.list iterate in smcrportadd While doing...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-013447)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013447 advisory. In the Linux kernel, the following vulnerability has been resolved: serial: protect uartportdtrrts in uartshutdown too Commit af224ca2df29 serial: core: Prevent...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013478)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013478 advisory. In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Panic on bad configs that VE on private memory access All normal kernel memory is TDX...

uutils coreutils 路径遍历漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils. uutils coreutils has a path traversal vulnerability. This vulnerability arises from bypassing the security mechanism that protects the current directory, potentially leading to unexpected or malicious execution of...

PT-2026-34363

In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: check contexts-nr before accessing contexts arr0 Multiple sysfs command paths dereference contexts arr0 without first verifying that kdamond-contexts-nr == 1. A user can set nr contexts to 0 via sysfs while DAMON ...

PowerDNS DNSdist 输入验证错误漏洞

PowerDNS DNSdist is a proxy software provided by PowerDNS, which offers capabilities for DNS traffic load balancing and security protection. PowerDNS DNSdist has a vulnerability related to input validation errors. This vulnerability arises when clients may send a large number of precisely timed...

PT-2026-34391

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description Race conditions can occur in the hwmon pmbus/core component because the regulator operations pmbus regulator get voltage, pmbus regulator set voltage, and pmbus regulator list voltage...

GitLab 安全漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD Continuous Integration and Delivery. Vulnerabilities exist in versions of GitLab CE/EE before 18.9.6, 18.10....

PT-2026-34242

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the kernel's handling of protection keys for address ranges. The subroutine responsible for updating page table entries fails to account for 1GB largepage mappings creat...

bind security update

9.18.33-10.0.2.el101.3 - Hard require needed openssl-libs Orabug: 38742109 - Fix warning when changing device file permissions Orabug: 36518580 32:9.18.33-10.3 - Prevent Denial of Service via maliciously crafted DNSSEC-validated zone CVE-2026-1519 32:9.18.33-10.2 - Fix upstream reported regressio...

PT-2026-34581

IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to write arbitrary files on the system...

CVE-2026-40929

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

CVE-2026-40929 WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

CVE-2026-40926

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

CVE-2026-40925 WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

CVE-2026-40909

WWBN AVideo (pre-29.0) contains a path traversal in locale/save.php that concatenates $_POST['flag'] into the target path and writes $_POST['code'] to that path via fwrite(), allowing an attacker with admin access or CSRF to write arbitrary PHP files outside locale/ and achieve Remote Code Execut...

rsync: Fix of 3 CVEs

CVE-2017-16548: fix heap overread in receivexattr by enforcing trailing NUL on received xattr names - CVE-2017-17434: sanitize xname in readndxandattrs and check daemon filter against fnamecmp in recvfiles - CVE-2018-5764: prevent client from resetting protectargs during the second parsearguments...

CLSA-2026-1776791634 rsync: Fix of 3 CVEs

CVE-2017-16548: fix heap overread in receivexattr by enforcing trailing NUL on received xattr names - CVE-2017-17434: sanitize xname in readndxandattrs and check daemon filter against fnamecmp in recvfiles - CVE-2018-5764: prevent client from resetting protectargs during the second parsearguments...

CVE-2026-40586 blueprintUE: Login Endpoint Has No Rate Limiting, Lockout, or Brute-Force Protection

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressiv...