ROOT-APP-NPM-CVE-2026-3304 CVE-2026-3304 in @rootio/multer - Patched by Root

Root has patched CVE-2026-3304 in the @rootio/multer package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2024-55565 CVE-2024-55565 in @rootio/nanoid - Patched by Root

Root has patched CVE-2024-55565 in the @rootio/nanoid package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2021-44906 CVE-2021-44906 in @rootio/minimist - Patched by Root

Root has patched CVE-2021-44906 in the @rootio/minimist package for Root:npm. Multiple fixed versions available...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationRuntime and IntegrationServer operands that use Kafka are vulnerable to loss of confidentiality (CVE-2025-27817, CVE-2025-27818)

Summary Apache Kafka Client is used by IBM App Connect Enterprise Certified Container when running flows that connect to a Kafka server. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka Client are vulnerable to loss of confidentiality...

EUVD-2026-34286

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public /image/ route that resolves attacker-controlled entries from imagehashlookup and replays them through the same server-side image fetch logic used by authenticated image proxying...

CVE-2026-10650 warmcat libwebsockets SSH Protocol sshd.c lws_ssh_parse_plaintext resource consumption

A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lwssshparseplaintext of the file plugins/protocollwssshbase/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msglen can lead to resource consumption. The attack may be...

EUVD-2026-34030

authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1...

EUVD-2026-34025

authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin...

EUVD-2026-33952

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond th...

PT-2026-45856

Name of the Vulnerable Software and Affected Versions CloudburstMC Protocol versions prior to 3.0.0.Beta12-20260420.182526-15 Description CloudburstMC Protocol, a protocol library for Minecraft Bedrock Edition, contains a flaw where validation for FULL type authentication tokens is partially...

ROOT-APP-MAVEN-CVE-2023-26119 CVE-2023-26119 in io.root.net.sourceforge.htmlunit:htmlunit - Patched by Root

Root has patched CVE-2023-26119 in the io.root.net.sourceforge.htmlunit:htmlunit package for Root:Maven. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-27889 CVE-2026-27889 in rootio-github.com/nats-io/nats-server/v2 - Patched by Root

Root has patched CVE-2026-27889 in the rootio-github.com/nats-io/nats-server/v2 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-32287 CVE-2026-32287 in rootio-github.com/antchfx/xpath - Patched by Root

Root has patched CVE-2026-32287 in the rootio-github.com/antchfx/xpath package for Root:Go. Multiple fixed versions available...

Fedora 43 : kernel (2026-5e5a0f9621)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-5e5a0f9621 advisory. The 7.0.7 stable kernel update contains a number of important fixes across the tree. It also patches up a vulnerable codepath for fragnesia that was not in t...

Linux Distros Unpatched Vulnerability : CVE-2026-40020

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imapaclallowanyone=no. This causes folders to be...

Linux Distros Unpatched Vulnerability : CVE-2026-42327

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocspresponders returns OCSP responder URLs from...

PSF-0000-CVE-2026-8328

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics Plugin

On May 8, 2026, PRISM, Wordfence Threat Intelligence’s autonomous vulnerability research platform, discovered a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with more than 200,000 active installations. The vulnerability was introduced in the code on April 2...

ROOT-APP-GOBINARY-CVE-2026-31892 CVE-2026-31892 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2026-31892 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

PT-2026-40315

Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0...