Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by a vulnerability in minimatch (CVE-2026-26996)

Summary A Regular Expression Denial of Service ReDoS vulnerability in the minimatch pattern matching library CVE-2026-26996 used by IBM InfoSphere Optim Archive Viewer has been addressed by upgrading the library to version 5.1.8. Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch i...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the exec approver gate process. An attacker can gain unauthorized approval capabilities by leveraging limited exec approval permissions to bypass intended...

CVE-2026-8803

A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to...

CVE-2026-8803 opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash

A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to...

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow due to improper bounds checking in memory operations. An attacker can execute arbitrary code or escalate privileges by supplying crafted input to the affected process. Remediation Upgrade...

PT-2026-38489

Summary Nokogiri's Nokogiri::XSLT::Stylesheettransform leaks a small heap allocation when passed a Ruby string parameter containing a null byte. For applications that pass attacker-controlled input through XSLT.transform parameters, this may be a vector for a denial of service attack against...

CVE-2026-29168 Apache HTTP Server: mod_md unrestricted OCSP response

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's modmd via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

virt:kvm_utils3 bug fix update

hivex 1.3.18-23 - Limit recursion in ri-records CVE-2021-3622 resolves: rhbz1976194 1.3.18-22.el8 - Resolves: bz2000225 Rebase virt:rhel module:stream based on AV-8.6 1.3.18-21 - Bounds check for block exceeding page length CVE-2021-3504 resolves: rhbz1950501 1.3.18 - Resolves: bz1810193 Upgrade...

SUSE CVE-2026-34479

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...

Integer Overflow or Wraparound

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Linux Distros Unpatched Vulnerability : CVE-2026-29145

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This iss...

Security Bulletin: IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting (XSS) (CVE-2025-11965, CVE-2025-11966)

Summary IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting XSS when using Eclipse Vert.x. Vulnerability Details CVEID:CVE-2025-11965 DESCRIPTION: In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for...

OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure

Summary @openclaw/voice-call and the bundled copy shipped in openclaw accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure. Affected Packages / Versions - openclaw npm:...

OpenClaw: Node exec approvals could be replayed across nodes

Summary exec.approval requests for host=node were not explicitly bound to the target nodeId, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet. Impact An operator approval for a system.run request could be reused across...

PYSEC-2026-113

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file but not an IPC stream with pre-buffering enabled, if the IPC file contains data with variadic buffers such as Binary View and String...

PT-2026-3464

Name of the Vulnerable Software and Affected Versions OpenProject versions 16.3.0 through 16.6.4 Description OpenProject is a web-based project management software. A stored cross-site scripting issue exists in the Roadmap view. The issue occurs when a version contains work packages from a...

EUVD-2026-0825

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update ...

Veeam Backup & Replication 13.0.1 In-Place Upgrade Version Requirement

Challenge When attempting to upgrade an existing Veeam Backup & Replication deployment to version 13.0.1, the installer displays a message stating: Unable to upgrade Veeam Backup & Replication: you can upgrade from version 12.3.1.1139 or later only. Solution Before attempting an in-place upgrade ...

CVE-2025-59037 DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...

D-Link DI-500WF os Command Injection Vulnerability

The D-Link DI-500WF is a panel type wireless access point AP, mainly used to build wireless network coverage environment, supports 802.11n protocol with a theoretical maximum transmission rate of 150Mbps. The D-Link DI-500WF suffers from an os command injection vulnerability that stems from the...