EUVD-2026-38239

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries

Google has set September 30, 2026, as the day it begins enforcing Android developer verification in the first four countries, and the major device-maker app stores are in from the start. On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will block normal install...

ROOT-OS-UBUNTU-2404-CVE-2025-38190 CVE-2025-38190 in rootio-linux - Patched by Root

Root has patched CVE-2025-38190 in the rootio-linux package for Root:Ubuntu:24.04. Multiple fixed versions available...

ROOT-OS-UBUNTU-2404-CVE-2026-43495 CVE-2026-43495 in rootio-linux - Patched by Root

Root has patched CVE-2026-43495 in the rootio-linux package for Root:Ubuntu:24.04. Multiple fixed versions available...

CVE-2026-56367 ImageMagick - Heap Out-of-Bounds Read in PSB RLE Decoding

ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB PSD v2 RLE decoding path ReadPSDChannelRLE in coders/psd.c that causes a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file can lead to information disclosure or a crash...

CVE-2026-56367

ImageMagick is affected in versions prior to 7.1.2-15 and 6.9.x prior to 6.9.13-40, where an integer overflow in the PSB (PSD v2) RLE decoding path (ReadPSDChannelRLE in coders/psd.c) can cause a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file may lead to information discl...

Astra Linux – Vulnerability found in Linux 5.15, Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: A overflow issue was fixed in the bitmapipcreate function before the bitmap was widened. When firstip is 0, lastip is 0xFFFFFFFF, and the netmask is 31, the value of an arithmetic expression 2 netmask - maskbits...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: x86/bugs: Using a code segment selector for the VERW operand Robert Gill reported the following issue in 32-bit mode when the dosemu software executed the vm86 system call: General protection fault: 0000 1 PREEMPT SMP CPU: 4 PID:...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: The current directory offset allocator based on mtreealloccyclic stores the next offset value to be returned in octx-nextoffset. This mechanism typically returns values that increase monotonically over time. Eventually, however,...

CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability

Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...

CVE-2026-12289

CVE-2026-12289 describes a privilege-escalation vulnerability in the Graphics: WebRender component. The public description and connected advisories indicate this affects Mozilla Firefox and Thunderbird products, with fixes shipped in: Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbi...

libexif: libexif: Information disclosure and crashes via integer overflow in Nikon MakerNote handling

A flaw was found in libexif. A local attacker on a 32-bit system could exploit an unsigned 32-bit integer overflow vulnerability in the Nikon MakerNote handling. This could lead to application crashes or the disclosure of sensitive information...

CVE-2026-48723

BrowserStack Cypress CLI prior to 1.36.4 is vulnerable to OS command injection via the cypress_config_file parameter in readCypressConfigUtil.js (loadJsFile()), which builds a shell command by interpolating cypress_config_filepath into a template literal and runs it with child_process.execSync()....

CVE-2026-39463

Unauthenticated Cross Site Scripting XSS in ManageWP Worker = 4.9.31 versions...

CVE-2026-39579 WordPress B Blocks plugin <= 2.0.31 - Privilege Escalation vulnerability

Contributor Privilege Escalation in B Blocks = 2.0.31 versions...

EUVD-2026-36629

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

CVE-2026-53868 Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

CVE-2026-53868 Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

CVE-2026-53868

Capgo before 12.128.2 contains a denial-of-service vulnerability where attackers can register accounts with arbitrary, unverified emails and then delete them, causing pending deletions that lock legitimate users out for up to 30 days. Root cause: unverified email ownership in account lifecycle op...

EUVD-2026-36512

Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is an unauthenticated denial-of-service vulnerability in the /multisearch endpoint. A specially crafted request can trigger an unhandled exception during request processing, causing the server process to...