EUVD-2026-32959

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common...

Astra Linux - уязвимость в libcommons-net-java

Prior to Apache Commons Net 3.9.0, Net’s FTP client trusted the host based on the PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user had to connect to the malicious server in the first place. This could result in the leakage of...

CVE-2026-42353 Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...

Important: maven3.9

Issue Overview: Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code CVE-2025-67030 Affected Packages: maven3.9 Issue Correction: Run dnf...

📄 NLTK 3.9.2 Path Traversal / File Disclosure

NLTK version 3.9.2 suffers from a path traversal vulnerability that allows for file disclosure. ================================================================================================================================== | Title : NLTK 3.9.2 Path Traversal - File Disclosure Exploit | | Auth...

[SECURITY] [DLA 4532-1] python3.9 regression and security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4532-1 [email protected] https://www.debian.org/lts/security/ Arnaud Rebillout April 15, 2026 https://wiki.debian.org/LTS -...

CVE-2026-40740

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.7...

CVE-2026-3358

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing poststatus validation in the enrollnow and courseenrollment functions. Both enrollment endpoints...

CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...

CVE-2025-32223 WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.4...

CVE-2026-1261

MetForm Pro

RHEL 9 : python3.9 (RHSA-2026:4168)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:4168 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin

On December 30th, 2025, we received a submission for an Authentication Bypass vulnerability in Tutor LMS Pro, a WordPress plugin estimated to have more than 30,000 active installations. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site...

10-Strike Bandwidth Monitor security vulnerability

10-Strike Bandwidth Monitor is a network bandwidth monitoring and traffic analysis tool developed by the American company 10-Strike. Version 3.9 of 10-Strike Bandwidth Monitor contains a security vulnerability; this vulnerability stems from a buffer overflow issue related to the input of...

10-Strike Bandwidth Monitor code issue vulnerability

10-Strike Bandwidth Monitor is a network bandwidth monitoring and traffic analysis tool developed by the American company 10-Strike. Version 3.9 of 10-Strike Bandwidth Monitor has a code vulnerability; this vulnerability arises from multiple service paths not being enclosed in quotes, which may...

CVE-2025-69002

CVE-2025-69002 describes a Deserialization of Untrusted Data vulnerability in designthemes OneLife/OneLife theme for WordPress, enabling Object Injection. Affected software: OneLife (WordPress Theme) up to version 3.9. Root cause: deserialization of untrusted data leading to object injection. Imp...

DLA-4445-1 python3.9 - security update

Bulletin has no description...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002417)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002417 advisory. Memory leak in the kvmsetmemoryregion function in virt/kvm/kvmmain.c in the Linux kernel before 3.9 allows local users to cause a denial of service memory consumptio...

CVE-2025-14908

A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module...

CVE-2025-68062

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through = 3.9.6...