SiYuan <= v3.6.1 - Bookmark Data Disclosure

SiYuan v3.6.2 contains an information disclosure vulnerability caused by improper authorization checks in the publish service's bookmark filtering, letting unauthenticated visitors access bookmarked blocks from password-protected documents, exploit requires access to the publish service. id:...

RClone RC - Command Injection

Rclone = 1.48.0 and = 1.48.0 and 1.73.5 contains an unauthenticated local command execution caused by unauthenticated access to the RC endpoint operations/fsinfo with attacker-controlled fs input, letting unauthenticated attackers execute local commands, exploit requires reachable RC deployment...

Fedora 44 : yt-dlp (2026-bb702c613b)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-bb702c613b advisory. - Update to 2026.06.09. Fixes rhbz2487407. - Mitigates CVE-2026-50019, CVE-2026-50023, CVE-2026-50574 Tenable has extracted the preceding descriptio...

Astra Linux – Vulnerability in hsqldb

Those who use java.sql.Statement or java.sql.PreparedStatement in hsqldb HyperSQL Database to process untrusted input may be vulnerable to a remote code execution attack. By default, it is allowed to call any static method of any Java class in the classpath, resulting in code execution. This issu...

CVE-2026-8100

Impact A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass...

PT-2026-48274

Name of the Vulnerable Software and Affected Versions Adobe Campaign Classic ACC versions prior to 7.4.3 build 9395 Description A Server-Side Request Forgery SSRF issue exists where the server can be coerced into making unauthorized requests. This can lead to privilege escalation or arbitrary cod...

Fedora 44 : chromium (2026-15e444c3bb)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-15e444c3bb advisory. Update to 149.0.7827.53 fix 429 CVEs CVE-2026-10881 through CVE-2026-11309 Tenable has extracted the preceding description block directly from the...

Maintenance update for Multi-Linux Manager 4.3 Release Notes Release Notes

Description: This update fixes the following issues: release-notes-susemanager-proxy: Update to SUSE Manager 4.3.18 Bugs mentioned bsc1249675, bsc1259554 Security update 4.3.18 for Multi-Linux Manager Server LTS Description: This update fixes the following issues: release-notes-susemanager: Updat...

PT-2026-46267

Name of the Vulnerable Software and Affected Versions Net::CIDR::Set versions prior to 0.21 Description The software fails to validate IP addresses. The add function calls the encode function to parse addresses; if the input does not resemble netmasks or network ranges, it is treated as a single ...

Debian dsa-6310 : imagemagick - security update

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6310 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6310-1 [email protected] https://www.debian.org/securit...

CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account...

Fedora 44 : podofo (2026-5c81faa7bf)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-5c81faa7bf advisory. Update to podof-1.0.4. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

CVE-2026-45548 Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetchfileUrl directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated...

CVE-2026-8428 CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and below

Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...

PT-2026-42687

Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0 Description Runtime pods were configured with the fission-fetcher ServiceAccount, which possesses namespace-wide get permissions for secrets and configmaps. Because the service account token was automounted and...

Security Bulletin: NVIDIA TensorRT-LLM - May 2026

NVIDIA has released a software update for NVIDIA® TensorRT-LLM. To protect your system, clone or update this software to TensorRT-LLM v1.2.1 from GitHub. Go to NVIDIA Product Security. Details The following table summarizes the potential vulnerabilities that this security update addresses and the...

SUSE-SU-2026:1964-1 Security update for rmt-server

This update for rmt-server fixes the following issues - CVE-2026-26961: rack: mismatch in header handling can allow to smuggle multipart content bsc1261398. - CVE-2026-26962: rack: improper unfolding of folded multipart headers can lead to header injection or response splitting bsc1261471. -...

Fedora 43 : pgbouncer (2026-fad57ac86d)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-fad57ac86d advisory. Update to 1.25.2. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested...

Insertion of Sensitive Information Into Sent Data

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the emittoolcalledevent process, which serializes and transmits all tool arguments, including...

PT-2026-40833

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.45.0 Description The rate-limit middleware in the users-permissions plugin incorrectly derives its rate-limit key using ctx.request.body.email, even on routes where the body schema does not require an email field, su...