ROOT-OS-ALPINE-318-CVE-2023-49286 CVE-2023-49286 in rootio-squid - Patched by Root

Root has patched CVE-2023-49286 in the rootio-squid package for Root:Alpine:3.18. Multiple fixed versions available...

ROOT-OS-DEBIAN-12-CVE-2025-6297 CVE-2025-6297 in rootio-dpkg - Patched by Root

Root has patched CVE-2025-6297 in the rootio-dpkg package for Root:Debian:12. Multiple fixed versions available...

SUSE CVE-2026-33215

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issu...

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-33205

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitra...

CVE-2026-33433 Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when headerField is configured with a non-canonical HTTP header name e.g., x-auth-user instead of X-Auth-User, an authenticated attacker can inject their own canonical version of that header to...

RHSA-2026:5930 Red Hat Security Advisory: firefox security update

Bulletin has no description...

CVE-2026-33423

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available...

CVE-2026-33909 OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL...

SUSE CVE-2026-30855

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.2, an authorization bypass in tenant management endpoints of WeKnora application allows any authenticated user to read, modify, or delete any tenant by ID. Since account...

PT-2026-28140

Name of the Vulnerable Software and Affected Versions OpenEMR versions through 8.0.0.2 Description OpenEMR is an electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection issue in the patient selection feature. This is due ...

CVE-2026-33509

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the setconfigvalue API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option...

CVE-2026-33497

Langflow contains a directory-traversal vulnerability in the /profile_pictures/{folder_name}/{file_name} endpoint (download_profile_picture) where folder_name and file_name are not strictly filtered. This allows an attacker to read files outside the intended directory, including the application’s...

PT-2026-27622

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6 Description NATS-Server, a high-performance server for NATS.io, is affected by an issue where a valid client utilizing message tracing headers can direct trace messages...

Fedora 42 : python-diskcache (2026-9e5037f4e6)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9e5037f4e6 advisory. Incorporate patch from Sam Doran to fix CVE-2025-69872 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note...

PT-2026-27451

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. A flaw exists where the TaskAttachment.ReadOne function queries attachments using only the ID, disregarding the task ID from the URL. The permission...

CVE-2026-32300

This CVE entry relates to Connect CMS (My Page Profile Update) with an improper authorization flaw that can allow an authenticated attacker to modify arbitrary user information (including passwords). Affected versions are 1.x up to 1.41.0 and 2.x up to 2.41.0. The vulnerability enables takeover o...

CVE-2026-23488

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

CVE-2026-32276

CVE-2026-32276 affects Connect-CMS and its Code Study Plugin . Affected versions: 1.x ≤ 1.41.0 and 2.x ≤ 2.41.0. An authenticated user could trigger arbitrary code execution on the server through the Code Study Plugin. The vulnerability is addressed in patched releases: 1.41.1 (1.x) and 2.41.1 (2...

CVE-2026-23487 Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4...