CVE-2026-48491

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability allows an unauthenticated client to bypass mutual Transport Layer Security TLS enforcement, a security measure that verifies both client and server identities. The bypass occurs due to an issue in Traefik's...

CVE-2026-52920

The CVE-2026-52920 entry documents a Linux kernel netfilter xt_policy issue where strict mode inbound policy matching could misalign due to the incorrect consumption order of policy entries. Specifically, match_policy_in() walked sec_path entries from the last transform to the first, requiring co...

Adobe AEM Dispatcher <4.15 - Rules Bypass

Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, which allows remote attackers to bypass dispatcher rules via unspecified vectors. id: CVE-2016-0957 info: name: Adobe AEM Dispatcher 4.15 - Rules Bypass author: geeknik severity:...

Scramble Laravel - Remote Code Execution

Scramble for Laravel = 0.13.2 and = 0.13.2 and 0.13.22 contains a remote code execution caused by evaluation of user-controlled input in validation rules during documentation generation, letting remote attackers execute arbitrary PHP code, exploit requires publicly accessible documentation...

CVE-2026-49860 Deno: WebSocket API sandbox bypass via missing post-DNS check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially...

CVE-2026-49859

CVE-2026-49859 affects Deno before version 2.8.1. The bug occurs in fetch() where Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that the hostname resolves to, allowing an attacker-controlled domain that passes the hostname check to resolve to...

kernel: net/sched: act_pedit: extend the writable skb range per key

A flaw was found in the Linux kernel's traffic control packet editing pedit subsystem. In tcfpeditact, the copy-on-write COW range for skbensurewritable is computed once before iterating over edit keys, but the calculation does not account for runtime header offsets added by typed keys. This can...

CVE-2026-48794

CVE-2026-48794 affects Authelia (versions 4.36.0–4.39.19). A domain canonicalization edge case can cause an access control rule to be skipped when it should match a request, under very specific conditions involving forwarded authorization, multi-segment subdomains (e.g., a.b.example.com vs exampl...

CVE-2026-48089

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create,...

CVE-2026-48772

ProxySQL (versions 2.0.0–3.0.8) is vulnerable to a PROXY protocol v1 UNKNOWN frame bypass. The frontend accepts the PROXY UNKNOWN header and, despite the spec requiring ignoring the address fields, ProxySQL parses them via sscanf and writes a spoofed source address into the session, feeding i...

CVE-2026-44046

Apache APISIX is affected by CVE-2026-44046 due to a Less Trusted Source issue in the wolf-rbac plugin under default configuration. Affected versions: 1.2.0 through 3.16.0. Exploitation can allow spoofed identity information to be logged and potentially bypass or abuse IP-based access controls. T...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: drm/panthor: Fix for dma-fence safe access rules Commit 506aa8b02a8d6 “dma-fence: Add safe access helpers and document the rules” details the dma-fence safe access rules. The most common issue is that...

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: ipv6: fib6rules: avoided possible NULL dereferencing in fib6ruleaction. syzbot is capable of triggering the following crashes 1, caused by the unsafe use of ip6dstidev. Indeed, ip6dstidev can return NULL, and this value must...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Only warnings are issued when overwriting a shadow-present SPTE, specifically when it occurs in direct MMUs. The sanity check of KVM is adjusted to only apply to direct MMUs, i.e., only to MMUs that do not have...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: dropping bogus WARN messages This issue occurs when rules are flushed/deleted while the packet is still being processed. Therefore, this WARN message needs to be removed. This warning has existed in som...

Astra Linux – Vulnerability in libarchive

A issue was discovered in libarchive bsdtar before version 3.8.1, in the function applysubstitution in the file tar/subst.c, when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to a denial of service Out-of-Memory crash...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: BPF: Allow deletion from sockmap/sockhash only if updating is allowed. We have received a surge in reports from syzkaller instances where a BPF program attached to a tracepoint triggered a locking rule violation by performing a...

PT-2026-51025

Name of the Vulnerable Software and Affected Versions Authelia versions 4.36.0 through 4.39.19 Description Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO. A lack of domain canonicalization in specific edge cases can...

EUVD-2026-37845

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'ruleid' parameter due to missing validation on a user controlled key. This makes it possible for...

CVE-2026-10623 PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification via 'quiz_id', 'item_id', and 'rule_id' Parameters

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'ruleid' parameter due to missing validation on a user controlled key. This makes it possible for...