PT-2026-3556

A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024...

MiracleLinux 7 : bind-9.11.4-26.P2.16.0.3.el7.AXS7 (AXSA:2024-8880:04)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-8880:04 advisory. CVE-2024-1737: add environment variable DNSRDATASETMAXRECORDS, DNSRBTDBMAXRTYPES to override hardcoded limits DDNSRDATASETMAXRECORDS and DDNSRBTDBMAXRTYPES F...

MiracleLinux 7 : firefox-91.9.0-1.0.1.el7.AXS7 (AXSA:2022-3176:11)

The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2022-3176:11 advisory. Mozilla: Bypassing permission prompt in nested browsing contexts CVE-2022-29909 Mozilla: iframe Sandbox bypass CVE-2022-29911 Mozilla: Fullscreen...

MiracleLinux 7 : ksh-20120801-140.el7 (AXSA:2020-4475:02)

The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2020-4475:02 advisory. ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injection CVE-2019-14868 Tenable has extracted the...

Rockwell Automation Verve Asset Manager security vulnerability

Rockwell Automation Verve Asset Manager is a supplier-neutral OT endpoint management platform provided by Rockwell Automation. There is a security vulnerability in Rockwell Automation Verve Asset Manager, which stems from ADI server components storing plaintext keys in environmental variables...

CVE-2026-23626

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

CVE-2026-21696

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the export process. An attacker with export permissions can access sensitive information, including environment variables, user password hashes, serialized sessio...

CVE-2026-23626

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

CVE-2026-23626 Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

CVE-2026-23626 Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

CVE-2026-23626

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

CVE-2026-23626 Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

PT-2026-3401

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.46.0 Description Kimai is a web-based multi-user time-tracking application. The export functionality utilizes a Twig sandbox with an overly permissive security policy DefaultPolicy, enabling arbitrary method calls on...

OESA-2026-1107 mod_security_crs security update

The base rules are provided for modsecurity by this package. Security Fixes: The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart...

OESA-2026-1105 mod_security_crs security update

The base rules are provided for modsecurity by this package. Security Fixes: The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart...

OESA-2026-1104 mod_security_crs security update

The base rules are provided for modsecurity by this package. Security Fixes: The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart...

MiracleLinux 4 : glibc-2.12-1.132.AXS4.4 (AXSA:2014-509:05)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2014-509:05 advisory. Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory...

PT-2026-7856

Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.0 Description Crawl4AI is affected by a local file inclusion issue in its Docker API deployment. The /execute js, /screenshot, /pdf, and /html API endpoints accept file:// URLs, which allows unauthenticated remot...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000898)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000898 advisory. The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse...