Vulnerabilities managed in GitLab Enterprise Edition

GitLab has identified several vulnerabilities in the GitLab Community Edition and Enterprise Edition versions, ranging from 12.0 to 19.0.2, including important releases such as 17.x, 18.10.8, 18.11.5, and 19.0.2. These vulnerabilities affect various components of GitLab CE & EE. Authorized users...

Vulnerability handling in Oracle PeopleSoft Enterprise PeopleTools

Oracle has identified a vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. This vulnerability allows unauthorized attackers to exploit the system via HTTP remotely. This can lead to remote code execution, which may result in the complete takeover of the system. The...

security-advisories

Security Advisories This repository contains public security...

SUSE CVE-2026-41283

OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials...

SUSE CVE-2026-42305

Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accept...

EUVD-2026-36328

Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

PT-2026-48882

Name of the Vulnerable Software and Affected Versions Amasty Order Attributes for Magento 2 versions prior to 4.0.0 Description An unauthenticated arbitrary file upload issue allows attackers to write files of any type or name to the store's media directory. This occurs because the upload endpoin...

PT-2026-49053

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.26.4 GeoServer versions prior to 2.27.3 Description An authenticated administrator with access to the security system can provide arbitrary absolute file paths to the Master Password Dump web page to create files...

PT-2026-48852

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.2.2 Apache CXF versions prior to 4.1.7 Description A JNDI Injection issue exists in the JCA integration module. This occurs when an attacker can manipulate the JCA deployment descriptor 'ra.xml' or runtime...

PT-2026-48968

Name of the Vulnerable Software and Affected Versions Kitty versions prior to 0.47.0 Description A flaw allows a program capable of writing bytes to the terminal—such as a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, or an issue body in a TUI—to...

PT-2026-48851

A further incomplete fix for a previous advisory CVE-2026-44417 Untrusted JMS configuration can lead to RCE for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions...

RockyLinux 9 : redis:7 (RLSA-2026:25219)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:25219 advisory. redis: use-after-free in unblock client flow may allow remote code execution CVE-2026-23479 redis: Remote code execution via use-after-free in Lua...

RockyLinux 9 : samba (RLSA-2026:25049)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:25049 advisory. samba: Missing access check on reparse point operations CVE-2026-1933 samba: vfsworm does not block directory modification CVE-2026-2340 samba: group...

Ivanti Sentry < R10.5.2 / R10.6.2 / R10.7.1 Multiple Vulnerabilities

The version of Ivanti Sentry formerly MobileIron Sentry running on the remote host is prior to R10.5.2, R10.6.2, or R10.7.1. It is, therefore, affected by multiple vulnerabilities : - An OS command injection vulnerability allows a remote, unauthenticated attacker to achieve root-level remote code...

RockyLinux 10 : valkey (RLSA-2026:25216)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:25216 advisory. redis: use-after-free in unblock client flow may allow remote code execution CVE-2026-23479 redis: Remote code execution via use-after-free in Lua...

Debian dla-4629 : apache2 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4629 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4629-1 [email protected]...

📄 Paperclip AI Remote Code Execution

Paperclip is the operating system for your AI company. You set the goals, hire AI agents as employees, and watch them plan and execute work. Prior to version 2026.410.0, Paperclip allows for unauthenticated remote code execution on any network-accessible instance running in authenticated mode wit...

📄 Gogs 0.14.2 Argument Injection

Proof of concept exploit for an argument injection vulnerability in Gogs versions 0.14.2 and below and versions 0.15.0+dev and below. ================================================================================================================================== | Title : Gogs Git Rebase Argume...

DEBIAN-CVE-2026-12007

Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-12007

Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...