Glances - Information Disclosure

Glances 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges. id: CVE-2026-32596 info: name: Glances -...

URL Shortify <= 1.12.1 - Open Redirect

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirectto' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentiall...

OpenCATS - Command Injection

OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard. id: CVE-2026-277...

CVE-2026-42573

A flaw was found in Svelte, a web framework. An attacker could exploit a DOM clobbering vulnerability, which allows manipulation of the Document Object Model DOM to overwrite internal framework state on elements. This could potentially lead to Cross-Site Scripting XSS attacks, enabling the attack...

SUSE SLED15 / SLES15 Security Update : go1.25 (SUSE-SU-2026:2326-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2326-1 advisory. This update for go1.25 fixes the following issues Update to go1.25.11 bsc1244485: - CVE-2026-27145: crypto/x50...

SUSE SLED15 / SLES15 Security Update : go1.26 (SUSE-SU-2026:2327-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2327-1 advisory. This update for go1.26 fixes the following issues Update to go1.26.4 bsc1255111: - CVE-2026-27145: crypto/x509...

SUSE SLES15 Security Update : vim (SUSE-SU-2026:2313-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2313-1 advisory. This update for vim fixes the following issues - CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file...

GHSA-3P42-W5CH-GG42 TYPO3 CMS has an Open Redirect Vulnerability via Core Utilities

Problem Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attack...

GHSA-QCMW-6RM2-5X78 TYPO3 CMS has Broken Access Control in its DataHandler

Problem Backend users were able to move records to a different page without having edit permissions on the source page. Solution Update to TYPO3 versions 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits TYPO3 CMS thanks Hyunseo Shin for reporting this issue, and TYPO3 security team...

GHSA-CHM7-4VCH-H8VR TYPO3 CMS has Broken Access Control in its Media Module

Problem Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer FAL via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files...

SUSE CVE-2026-6322

fast-uri normalize decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator...

SUSE-SU-2026:2365-1 Security update for cosign

This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Changes for cosign: - update to 3.0.6: Fix DSSE predicate check GHSA-w6c6-c85g-mmv6 4801 Handle whitespace-only certificate...

Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.4 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...

EUVD-2025-210096

A cross-site request forgery CSRF vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291...

PT-2026-48540

Due to the combination of checking out PR head branches attacker-controlled, reading .mcp.json from the working directory via default setting sources, and unconditionally enabling all project MCP servers via enableAllProjectMcpServers, it was possible for an attacker who opened a PR containing a...

GHSA-46Q3-7GV7-QMGG Net::IMAP: Command Injection via ID command argument

Summary Two Net::IMAP commands, id and enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon. Details Whe...

Security update for 389-ds

This update for 389-ds fixes the following issue CVE-2026-9064: unbounded LDAP controls count in getldapmessagecontrolsext can lead to amplified CPU time and heap allocation and a denial of service bsc1265898. Changes for 389-ds: Update to version 2.0.20git90.9f70d434e. Patch Instructions: To...

SUSE-SU-2026:22051-1 Security update for elemental-toolkit

This update for elemental-toolkit fixes the following issue - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260277. Changes: - Update to v2.3.4: 974af043 Bump golang.org/x/net to v0.55.0 bsc1267168 bsc1251679 ae39c90...

CVE-2026-35447

NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page modules/Core/pages/profile.php processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to wri...

openSUSE 16 Security Update : roundcubemail (openSUSE-SU-2026:20852-1)

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20852-1 advisory. Changes in roundcubemail: - update to 1.6.16 - Fix potential too long value in IMAP ID command 10136 - Security: Fix stored XSS/HTML/CSS injecti...