Linux Distros Unpatched Vulnerability : CVE-2026-24686

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - go-tuf is a Go implementation of The Update Framework TUF. go-tuf's TAP 4 Multirepo Client uses the map file repository name string repoName as a filesystem pat...

CVE-2026-20883

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. Mitigation Mitigation for this issue is either not available or the...

CVE-2026-20736

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. Mitigation Mitigation for...

BIT-MOODLE-2025-3642 Moodle: authenticated remote code execution risk in the moodle lms equella repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled...

BIT-MOODLE-2025-3641 Moodle: authenticated remote code execution risk in the moodle lms dropbox repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled...

Free5gc NRF is vulnerable to scope validation bypass via maliciously crafted targetNF value

An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck function in file internal/sbi/processor/accesstoken.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access...

Malicious Package

Overview ntwsc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

GHSA-4XX9-VC8V-87HV Gitea does not properly validate repository ownership when linking attachments to releases

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...

Gitea does not properly validate repository ownership when linking attachments to releases

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper validation of repository ownership when linking attachments to releases. An attacker can gain unauthorized access to attachments by linking an attachment uploaded to a privat...

EUVD-2026-4263

Gitea does not properly validate repository ownership when linking attachments to releases...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper validation of repository ownership when linking attachments to releases. An attacker can gain unauthorized access to attachments by linking an attachment uploaded to a privat...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper verification of repository context during the deletion process. An attacker can remove attachments they previously uploaded to a repository, even after losing access to that...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper verification of repository context during the deletion process. An attacker can remove attachments they previously uploaded to a repository, even after losing access to that...

GHSA-2VGV-HGV4-22MH Gitea improperly exposes issue and pull request titles

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the release notification process. An attacker can receive unauthorized information about private repository releases by maintaining a watch on a repository that was changed from public to private, even after...

EUVD-2026-4264

Gitea does not properly validate repository ownership when deleting Git LFS locks...

Gitea has improper access control for uploaded attachments

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...

Gitea improperly exposes issue titles and repository names through previously started stopwatches

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the release notification process. An attacker can receive unauthorized information about private repository releases by maintaining a watch on a repository that was changed from public to private, even after...