EUVD-2026-34097

GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch...

EUVD-2026-32533

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0...

EUVD-2026-25135

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 uses weaker than expected cryptographic algorithms that could allow an...

PT-2026-35429

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 Description An authenticated user with permissions to create or modify workflows can achieve global prototype pollution through the XML Node. Prototype...

Security update for qemu (important)

openSUSE security update: security update for qemu ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20567-1 Rating: important References: bsc1258509 bsc1259079 bsc1259080 Cross-References: CVE-2026-2243 CVE-2026-3195 CVE-2026-3196 CVSS scores:...

EUVD-2026-19249

GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6...

CVE-2026-30284

An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure...

PT-2026-29289

An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure...

CVE-2026-30284

An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure...

CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

Zimbra Collaboration Suite（ZCS） 安全漏洞

Zimbra Collaboration Suite ZCS is an open-source collaboration suite developed by Zimbra Corporation. This product includes features such as WebMail, calendars, and contact management. Both the Zimbra Collaboration Suite 10.0 and 10.1 versions contained security vulnerabilities. These...

Zimbra Collaboration 10.1.x < 10.1.5 Stored Cross-Site Scripting

According to its banner, the version of Zimbra Collaboration running on the remote host is 10.0.x prior to 10.0.13 or 10.1.x prior to 10.1.5. It is, therefore, affected by a Stored Cross-Site Scripting XSS vulnerability due to insufficient sanitization of HTML content in ICS files. Note that the...

Security Bulletin: IBM Transformation Extender Advanced is affected by unsafe Java deserialization.

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, is affected by unsafe Java deserialization. Vulnerability Details CVEID:CVE-2023-49886 DESCRIPTION: IBM Standards Processing Engine could allow a remote attacker to execute arbitrary code on the system,...

EUVD-2023-53783

Malicious code in bioql PyPI...

Security Bulletin: IBM Transformation Extender Advanced is could allow user impersonation.

Summary IBM Transformation Extender Advanced, also known as IBM Standards Processing Engine, could allow an authenticated user to impersonate another user on the system. Vulnerability Details CVEID:CVE-2023-49881 DESCRIPTION: IBM Standards Processing Engine does not invalidate session after logou...

UBUNTU-CVE-2023-53193

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix amdgpuirqput call trace in gmcv100hwfini The gmc.eccirq is enabled by firmware per IFWI setting, and the host driver is not privileged to enable/disable the interrupt. So, it is meaningless to use the amdgpuirqput...

CVE-2025-9734

A security flaw has been discovered in O2OA up to 10.0-410. The impacted element is an unknown function of the file /xqueryassembledesigner/jaxrs/stat of the component Personal Profile Page. The manipulation of the argument name/alias/description/applicationName results in cross site scripting. T...

MAL-2025-6937 Malicious code in jenkins-trigger-action (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis fedbad1242e09329c414a95c493ce62c39c15cad4472ef5fc4a8b9b836834fb4 The OpenSSF Package Analysis project identified...

CVE-2025-48748

Netwrix Directory Manager formerly Imanami GroupID through v.10.0.7784.0 has a hard-coded password...