Important: Red Hat Security Advisory: Red Hat Web Terminal Operator 1.14.0 release.

Red Hat Web Terminal Operator 1.14.0 has been released. The Web Terminal provides a way to access a fully in-browser terminal emulator within the OpenShift Console. Command-line tools for interacting with the OpenShift cluster are pre-installed...

WordPress Planty theme <= 1.14.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Planty versions = 1.14.0...

CLEANSTART-2026-BN09969 Security fixes for CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-78h2-9frx-2jm8, ghsa-hfvc-g4fc-pqhx, ghsa-mh2q-q3fh-2475, ghsa-p77j-4mvh-x3m3 applied in versions: 1.14.0-r2

Multiple security vulnerabilities affect the velero-plugin-for-gcp-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

JLSEC-2026-99

Deno =1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory...

Trezor多款产品 安全漏洞

Trezor One, among others, is a product of the Czech Republic-based Trezor company. Trezor One is a digital currency wallet device. Trezor T is a hardware cryptocurrency wallet device. Trezor Safe is also a hardware cryptocurrency wallet device. Several Trezor products have security vulnerabilitie...

GHSA-68M9-983M-F3V5 OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response

Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the runPlaygroundServer process in cmd/run/run.go and the playground configuration in pkg/server/config/config.go. An attacker can recover the preshared API key by sending an unauthenticated request to the...

OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response

Description When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It...

GHSA-R758-8HXW-4845 justhtml: Mutation XSS with custom foreign-namespace sanitization policies

Summary A parser-differential / mutation XSS issue was found in justhtml when using a custom sanitization policy that preserves foreign namespaces such as SVG or MathML. Under these custom settings, specially crafted input could sanitize into HTML that looked safe at first, but became unsafe when...

PT-2026-32978

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

EUVD-2026-19486

OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision...

GHSA-JWVJ-G8PC-CX45 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. Am I affected? You are affected if you meet the following preconditions: 1. You execute BatchCheck operation...

CVE-2026-34972 OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

PT-2026-30732

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.8.0 through 1.13.1 Description OpenFGA is an authorization/permission engine. BatchCheck calls with multiple checks for the same object, relation, and user can lead to improper policy enforcement under specific conditions...

CLEANSTART-2026-DA83816 Security fixes for CVE-2026-33186, ghsa-p77j-4mvh-x3m3 applied in versions: 1.14.0-r0

Multiple security vulnerabilities affect the velero-plugin-for-aws package. These issues are resolved in later releases. See references for individual vulnerability details...

Server-side Request Forgery (SSRF)

Overview crewai is a Cutting-edge framework for orchestrating role-playing, autonomous AI agents. By fostering collaborative intelligence, CrewAI empowers agents to work together seamlessly, tackling complex tasks. Affected versions of this package are vulnerable to Server-side Request Forgery SS...

Server-side Request Forgery (SSRF)

Overview crewai-tools is a Set of tools for the crewAI framework Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the RAG search tools not properly validating user-supplied URLs at runtime. An attacker can access internal or cloud resources by supplying...

GO-2026-4419 ingress-nginx has Improper Check for Unusual or Exceptional Conditions in k8s.io/ingress-nginx

ingress-nginx has Improper Check for Unusual or Exceptional Conditions in k8s.io/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabilit...

Security update for coredns (important)

openSUSE Security Update: Security update for coredns Announcement ID: openSUSE-SU-2026:0032-1 Rating: important References: 1255345 Cross-References: CVE-2025-61726 CVE-2025-61728 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68156 CVSS scores: CVE-2025-61726 SUSE: 6.9...