EEF-CVE-2026-48861 CRLF injection in HTTP/1 request line via unvalidated method in Mint

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encoderequestline/2 function splices the caller-supplied method and target arguments directly into the...

Mermaid 代码注入漏洞

Mermaid is an open-source application software developed by mermaid-js. It uses text and code to create charts and visualizations. Versions of Mermaid prior to 10.9.6 and 11.15.0 contain a code injection vulnerability. This vulnerability stems from the default configuration, which allows CSS to b...

PT-2026-43580

Name of the Vulnerable Software and Affected Versions Synology Surveillance Station versions prior to 9.2.2-11575 Synology Surveillance Station versions prior to 9.2.2-9575 Description The Export Key functionality contains a flaw that allows the cleartext transmission of sensitive information. Th...

WordPress Gat theme <= 1.16 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Gat versions = 1.16...

Blitz 代码注入漏洞

Blitz is an open-source full-stack Next.js development toolkit developed by Blitz. Versions of Blitz 3.0.2 and earlier contained a code injection vulnerability. This vulnerability stemmed from an unknown function in the packages/generator/templates/app/src/app/auth/components/LoginForm.tsx file,...

CVE-2026-43828

CVE-2026-43828 affects Apache Shiro. The issue: Shiro-native session manager and Remember-Me manager set cookies (JSESSIONID and rememberMe) without the Secure attribute by default, leaking sensitive cookies over non-HTTPS channels. Affected versions: 1.0 to 2.1.0, and 3.0.0-alpha-1. Remediation:...

PT-2026-43110

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.x through 1.6.15 Roundcube Webmail versions 1.7.x through 1.7.0 Description An issue allows pre-authentication arbitrary file deletion through a session poisoning bypass when using redis or memcache. Session...

Astra Linux - уязвимость в python-ipaddress

The Lib/ipaddress.py module in Python up to version 3.8.3 incorrectly calculates hash values for the IPv4Interface and IPv6Interface classes. This may allow a remote attacker to cause a denial of service if an application relies on the performance of a dictionary containing IPv4Interface or...

CVAT.ai CVAT 安全漏洞

CVAT.ai CVAT is an open-source data processing tool developed by CVAT.ai. There are security vulnerabilities in the CVAT.ai CVAT versions from 2.5.0 to 2.63.0. These vulnerabilities stem from attacks where attackers can create or edit annotation guides on tasks, and add malicious JavaScript code...

CVE-2026-34648

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources,...

BIT-JRE-2020-14779

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization. Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via...

Astra Linux - уязвимость в openjdk-11

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0....

Astra Linux - уязвимость в bind9

The DNS message parsing code in named includes a section whose computational complexity is excessively high. This does not cause problems for typical DNS traffic, but crafted queries and responses may lead to excessive CPU load on the affected named instance by exploiting this flaw. This issue...

Astra Linux - уязвимость в apache2

A carefully crafted request body can cause a buffer overflow in the modlua multipart parser r:parsebody called from Lua scripts. The Apache httpd team is not aware of an exploit for this vulnerability, but it might be possible to create one. This issue affects Apache HTTP Server 2.4.51 and earlie...

EUVD-2026-26657

An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when modproxy65 is enabled. Because modproxy65 mishandles access control in a paused scenario, relaying of unauthenticated traffic can occur...

EUVD-2026-25410

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport...

CVE-2026-40466 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport...

NSIS 代码问题漏洞

NSIS is an open-source tool developed by NSIS Development for creating Windows installation programs. In versions 3.06.1 to 3.12 of NSIS, there were code vulnerabilities. These vulnerabilities stemmed from the use of a low-IL temporary directory when executed as SYSTEM, allowing local attackers t...

CVE-2026-39645

Server-Side Request Forgery SSRF vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through = 1.18.0...

Pandora FMS 安全漏洞

Pandora FMS is a monitoring system developed by the American company Pandora FMS. This system provides visual monitoring of networks, servers, virtual infrastructure, and applications. Versions 777 to 800 of Pandora FMS have security vulnerabilities, which stem from improper handling of special...