7923 matches found
CVE-2026-40711
Dell Dell Container Storage Modules, versions csi-powerstore v2.16.0, csi-unity v2.16.0, csi-powerflex v2.16.0, csi-powermax v2.16.0, contains an Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability. A high privileged attacker with remote access...
CVE-2025-10268 Printcart Web to Print Product Designer for WooCommerce <= 2.4.8 - Unauthenticated Folder Content Disclosure via Path Traversal
The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker to retrieve the directory listing for arbitrary directories on the server...
CVE-2026-48619
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...
SUSE SLES16: dovecot24 / dovecot24-backend-mysql / dovecot24-backend-pgsql / etc (SUSE-SU-2026:22185-1)
The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:22185-1 advisory. This update for dovecot24 fixes the following issues - CVE-2026-27851: lib-var-expand: safe filter leaks to all following pipeline...
SUSE SLES16 Security Update : mcphost (SUSE-SU-2026:22193-1)
The remote SUSE Linux SLES16 / SLESSAP16 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:22193-1 advisory. This update for mcphost fixes the following issues - CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506:...
GO-2026-5487 HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service in github.com/hashicorp/vault
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service in github.com/hashicorp/vault...
CVE-2026-9099 Keycloak: group-admin escalation to realm-admin
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-48942
Affected software: K2 extension for Joomla (getk2.com), version constraint listed as K2 ≤ 2.26. Vulnerability: two templates render the database column __#k2_users.image directly into HTML src attributes without HTML escaping, revealing a stored-XSS risk. Root cause: lack of escaping when injecti...
CVE-2026-46733
Dell Display and Peripheral Manager DDPM Windows, versions prior to 2.3, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution...
SUSE-SU-2026:2631-1 Security update for the Linux Kernel
The SUSE Linux Enterprise 15 SP4 RT kernel was updated to fix various security issues The following security issues were fixed: - CVE-2025-10263: arm64: errata: Mitigate TLBI errata on various Arm CPUs bsc1266290. - CVE-2025-68324: scsi: imm: Fix use-after-free bug caused by unfinished delayed wo...
CVE-2026-45188
Relative Path Traversal vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...
CVE-2026-53198
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of a deferred filelock on double SMB2CANCEL A deferred byte-range lock an SMB2LOCK that blocks registers an async work on conn-asyncrequests via setupasyncwork, with cancelfn = smb2removeblockedlock and...
WordPress Gravity Bookings plugin <= 2.7.1 - Authenticated (Subscriber+) Time-Based SQL Injection vulnerability
Authenticated Subscriber+ Time-Based SQL Injection vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Gravity Forms Bookings premium versions = 2.7.1...
CVE-2026-46751
CVE-2026-46751 affects Apache Kvrocks (2.2.0–2.15.0). The root cause is that Kvrocks does not remove the unsafe loadstring function from its Lua sandbox, enabling a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of...
PT-2026-52536
Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.6 Description The Hook Authentication feature allows administrators to delegate login verification to an external shell command. User-supplied credentials, specifically the username and password variables, a...
PT-2026-52612
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 2.2.5 Description An unauthenticated arbitrary file upload issue exists when storageType is set to local. This allows attackers to use path traversal—a technique used to access files and directories outside the intend...
PT-2026-52410
Name of the Vulnerable Software and Affected Versions Visual Link Preview versions 2.3.1 and earlier Description Subscriber sensitive data exposure occurs in the software, potentially allowing unauthorized access to private information. Recommendations Disable or isolate the software immediately...
Linux Distros Unpatched Vulnerability : CVE-2026-42450
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, FileFormatSpi3D.cpp:163 uses sscanf with %s into 64-byte...
CVE-2026-55583
Twenty, before version 2.9.0, is affected by a cross-workspace insecure direct object reference in the AI agent monitor’s Resolver (agent-turn.resolver.ts). The query paths agentTurns(agentId) and evaluateAgentTurn(turnId) retrieved rows by agentId or id without restricting workspaceId, and guard...
EUVD-2026-38864
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open ksmbdlookupfdcguid returns a ksmbdfile with its refcount incremented via ksmbdfpget. parsedurablehandlecontext in the DURABLEREQV2 case properly releases this...