UBUNTU-CVE-2026-28388

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application...

JLSEC-2026-57

Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser...

openSUSE 16 Security Update : tomcat10 (openSUSE-SU-2026:20444-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20444-1 advisory. Update to Tomcat 10.1.52: - CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled bsc1252753. - CVE-2025-55754:...

OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation

Summary Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a...

[SECURITY] Fedora 43 Update: openbao-2.5.2-1.fc43

Openbao secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Openbao handles leasing, key revocation, key rolling, and auditing. Through a unified API, us ers can access an encrypted Key/Value store and network...

CVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

📄 listmonk Session Persistence

listmonk has a flaw where sessions persist as valid after password reset and password change. CVE-2026-34828 listmonk’s Session Persistence After Password Reset and Password Change Intro I found this issue while reviewing listmonk, an open-source newsletter and mailing list manager, with a simple...

listmonk's active sessions remain valid after password reset and password change

Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...

GHSA-H5J9-CVRW-V5QH listmonk's active sessions remain valid after password reset and password change

Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...

CVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

EUVD-2026-18089

CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation Logic Flaw...

EUVD-2026-18086

CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation Logic Flaw...

CVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

GHSA-HVC7-763R-4F3H openssl-encrypt has no owner verification on key revocation — any client can revoke any key

Summary The revokekey method in opensslencryptserver/modules/keyserver/service.py at lines 195-270 accepts a clientid parameter but never verifies that the requesting client is the same as key.ownerclientid. Impact Any authenticated client can revoke any other client's key, as long as they provid...

openssl-encrypt has no owner verification on key revocation — any client can revoke any key

Summary The revokekey method in opensslencryptserver/modules/keyserver/service.py at lines 195-270 accepts a clientid parameter but never verifies that the requesting client is the same as key.ownerclientid. Impact Any authenticated client can revoke any other client's key, as long as they provid...

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

PT-2026-29636

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not immediately revoke active user sessions when an account is deactivated. This is due to a logic flaw where account state changes are only enforced during login, not for...