PT-2026-46006

Name of the Vulnerable Software and Affected Versions OP-TEE versions 3.16.0 through 4.10.x Description A use-after-free race condition exists in the shared memory teardown logic of FF-A within SPMC/SP flows. This occurs when OP-TEE is configured as an SPMC for S-EL0 SPs using CFG SECURE...

CVE-2026-32270

The CVE affects Craft Commerce (Craft CMS) where PaymentsController::actionPay leaks order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. In affected versions 4.0.0–4.10.2 and 5.0.0–5.5.4, the JSON error response includes the ...

CVE-2026-31867 Craft Commerce has a Potential IDOR in Commerce carts

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference IDOR vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController...

CVE-2026-31867

Craft Commerce (Craft CMS) Before versions 4.11.0 and 5.6.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the cart loading/modification flow. The CartController accepts a user-supplied 32-character cart number and loads a cart without ownership validation, allowing an attack...

Craft Commerce 安全漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.11.0 and 5.6.0 of Craft Commerce contained security vulnerabilities. These vulnerabilities stemmed from a lack of ownership verification in the shopping cart functionality, which coul...

CVE-2026-27840

Technical details for CVE-2026-27840 are not provided in the supplied documents. Monitor for updates and vendor advisories for Zitadel versions and remediation.

CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

ZITADEL 安全漏洞

ZITADEL is a modern open-source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak, developed for the era of containers and serverless environments by ZITADEL in Switzerland. There were security vulnerabilities in versions of ZITADEL between 2.31.0 and 3.4.7, as well as in version...

CVE-2022-38724

Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS...

Improper Request Caching Lookup in the Auth0 Next.js SDK

Description When using affected versions of the Next.js SDK, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. Am I Affected? You are affected if you meet the following preconditions: - Applications using the auth0/nextjs-aut...

CVE-2025-62788

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, wcopyeventforlog references memory initially allocated in OSCleanMSG after it has been freed. A compromised agent can potentially compromise the integrity of the application by sending a...

CVE-2025-62790

Wazuh before version 4.11.0 is vulnerable to a NULL pointer/NULL string dereference in fim_fetch_attributes_state(), where time_string is not checked for NULL before calling strlen(). A crafted agent message to the Wazuh manager can crash analysisd, causing denial of service and unavailability of...

CVE-2025-62788 Wazuh Vulnerable to Heap Use After Free in w_copy_event_for_log

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, wcopyeventforlog references memory initially allocated in OSCleanMSG after it has been freed. A compromised agent can potentially compromise the integrity of the application by sending a...

CVE-2025-62788 Wazuh Vulnerable to Heap Use After Free in w_copy_event_for_log

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, wcopyeventforlog references memory initially allocated in OSCleanMSG after it has been freed. A compromised agent can potentially compromise the integrity of the application by sending a...

Wazuh 代码问题漏洞

Wazuh is a Wazuh open source application. It is used to collect, aggregate, index and analyze security data to help organizations detect intrusions, threats and behavioral anomalies. A code issue vulnerability exists in Wazuh versions prior to 4.11.0 that stems from not checking the...

PT-2025-44325

Name of the Vulnerable Software and Affected Versions Wazuh versions prior to 4.11.0 Description Wazuh is a platform for threat prevention, detection, and response. A flaw exists in the DecodeCiscat implementation where the return value of cJSON GetObjectItem is not checked for a possible NULL...

EUVD-2019-3513

Malware in sbrugna...

CVE-2025-10696

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party the target user, who can then view the...

CVE-2025-10692 OpenSupports 4.11.0 — SQL Injection

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user level ≥ 1 can inject SQL to alter the filter logic, effectively bypassing department scoping...

OpenSupports 安全漏洞

OpenSupports is a simple open source ticketing platform from OpenSupports Open Source. A security vulnerability exists in OpenSupports version 4.11.0 that stems from not verifying that the operator is the list owner, which could lead to elevated privileges and information disclosure...