Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks

Summary Arc's user-SQL validator internal/api/query.go:ValidateSQLRequest blocked only readparquet and arcpartitionagg via regex denylist. The broader DuckDB I/O function family — readcsvauto, readcsv, readjson, readjsonauto, readtext, readblob, glob, parquetmetadata, parquetschema, readxlsx, etc...

CVE-2026-8438

The All-In-One Security (AIOS) WordPress plugin (versions up to and including 5.4.7) is affected by a Stored Cross-Site Scripting vulnerability. The root cause is insufficient input sanitization in get_rest_route() and missing output escaping in the debug log’s column_default() when the admin das...

CVE-2026-43079

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Skip discovery table for offline dies This warning can be triggered if NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0. WARNING: CPU: 9 PID: 7257 at uncore.c:1157...

CVE-2026-25742

Zulip CVE-2026-25742 affects versions before 11.6. Before 11.6, even with spectator access disabled (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED), attachments from web-public streams could be retrieved anonymously, and the endpoint /users/me//topics remained reachable to expose topic his...

PT-2026-30211

Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access enable spectator access / WEB PUBLIC STREAMS ENABLED is disabled, attachments originating from web-public...

CVE-2025-14058

A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled...

CVE-2026-22230 OPEXUS eCASE Audit incorrect access control

OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0...

CVE-2025-6171

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

EUVD-2025-197692

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

CVE-2025-6171

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

CVE-2025-6171

GitLab CVE-2025-6171 is a disclosed vulnerability in GitLab CE/EE that allowed an authenticated user with reporter access to view branch names and pipeline details via the Packages API endpoint even when repository access was disabled. Affected versions run from 13.2 up to before 18.3.6, 18.4 up ...

CVE-2025-6171 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

CVE-2025-6171 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

CVE-2025-6171 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

CVE-2025-34501 Shuffle Master Deck Mate 2 Hard-coded Credentials & Exposed Services

Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services SSH, HTTP, Telnet, SMB, X11 are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as...

PT-2025-42379

Name of the Vulnerable Software and Affected Versions Cisco Desk Phone 9800 Series Cisco IP Phone 7800 Series Cisco IP Phone 8800 Series Cisco Video Phone 8875 Description A flaw exists in the web UI of the listed Cisco phone series running Cisco SIP Software that could allow a remote,...

CVE-2024-20445

A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to improper storage of sensitive...

CVE-2021-40089

An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With this setting disable...

CVE-2010-0057

AFP Server in Apple Mac OS X before 10.6.3 does not prevent guest use of AFP shares when guest access is disabled, which allows remote attackers to bypass intended access restrictions via a mount request...

CVE-2023-37895

Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to including 2.20.10 stable branch and 2.21.17 unstable branch use the component "commons-beanutils", which contains a class that can be used for remote...