Security Bulletin: Vulnerability in DiskCache with IBM Fusion, IBM Fusion HCI and IBM Fusion Content-Aware Storage.

Summary IBM Fusion, IBM Fusion HCI and IBM Fusion Content-Aware Storage includes DiskCache python-diskcache. Following vulnerability can achieve arbitrary code execution. CVE-2025-69872. Vulnerability Details CVEID:CVE-2025-69872 DESCRIPTION: DiskCache python-diskcache through 5.6.3 uses Python...

CVE-2026-44931 malcontent: Disk Space Exhaustion via Globally Accessible D-Bus API

The newly introduced RecordUsage D-Bus method https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/0.14.0/libmalcontent-timer/child-timer-service.c in malcontent-timerd allows arbitrary users in the system to slowly fill up disk space in /var/lib/malcontent-timerd...

CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

SUSE CVE-2026-43415

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcdrtcwork during UFS suspend In ufshcdwlsuspend, canceldelayedworksync is called to cancel the UFS RTC work, but it is placed after ufshcdvopssuspendhba, pmop, POSTCHANGE. This creates a race...

ANTI-FLUFF

PENTESTINGMETHS Main view example: Web Application As...

Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 golang:...

PT-2026-40698

A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device...

Lenovo Personal Cloud Storage 操作系统命令注入漏洞

Lenovo Personal Cloud Storage is a personal cloud storage service provided by Lenovo Corporation. Lenovo Personal Cloud Storage has a vulnerability related to operating system command injection. This vulnerability stems from potential vulnerabilities, which may allow remote authenticated users to...

CubeCart 跨站脚本漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Versions of CubeCart prior to 6.6.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from a storage-based cross-site scripting flaw, which could allow attackers with administrative privileges to inject...

PT-2026-40699

A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device...

git-lfs security update

3.4.1-10 - Rebuild with new Golang - Resolves: RHEL-167541, RHEL-167379, RHEL-166518 3.4.1-9 - Rebuild with new Golang - Resolves: RHEL-156637...

AlmaLinux 9 : thunderbird (ALSA-2026:15892)

The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2026:15892 advisory. firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS CVE-2026-6772 firefox: thunderbird: Use-after-free in the JavaScrip...

esm.sh: Legacy Route Path Traversal Can Lead to RCE

Impact - Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. Exploit The legacy router...

CVE-2026-45225

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in th...

CVE-2026-45225 Heym < 0.0.21 Path Traversal File Upload via upload_file()

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in th...

CVE-2026-35157

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to remote...

CVE-2026-40197

A flaw was found in Incus, a system container and virtual machine manager. An authenticated user with access to the storage volume feature can exploit a nil-pointer dereference vulnerability during custom volume import operations. By supplying a specially crafted backup archive, the user can caus...

CVE-2026-41647

A flaw was found in Incus, a system container and virtual machine manager. An authenticated Incus user can exploit a missing error handling vulnerability by importing a truncated storage bucket backup file. This can lead to a daemon crash, resulting in a Denial of Service DoS for the Incus servic...

CVE-2026-40195

A flaw was found in Incus, a system container and virtual machine manager. An authenticated user with access to the storage bucket feature can exploit a missing validation logic in the storage bucket import process. By providing a malicious or malformed index.yaml file that omits the configuratio...