CVE-2026-6127

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementordata meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the...

CVE-2024-39905

Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the @commands.canmanagechannel command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of t...

AZL-71849 CVE-2025-66471 affecting package python-urllib3 1.26.19-3

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than...

EUVD-2018-20556

Malware in sbrugna...

EUVD-2024-32579

Malicious code in bioql PyPI...

CVE-2025-27238

CVE-2025-27238 is due to a bug in the Zabbix API where hostprototype.get incorrectly lists all host prototypes to users who have no user groups assigned. The issue arises from the API’s handling of authorization, potentially exposing prototype data to unauthorized users. Connected sources corrobo...

CVE-2025-53532

giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own...

CVE-2024-4013

A bug exists in the API, meshnodepoweroff, which fails to copy the contents of the Replay Protection List RPL from RAM to NVM before powering down, resulting in the ability to replay unsaved messages. Note that as of June 2024, the Gecko SDK was renamed to the Simplicity SDK, and the versioning...

OESA-2025-1323 firefox security update

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. %if 0 %global mozdebugprefix /lib/debug %global mozdebugdir /lib/debug/ %global unamem %uname -m %global symbolsfilename -.en-US.-%uname.crashreporter-symbols.zip %global symbolsfilepath...

SUSE CVE-2024-53196

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Don't retire aborted MMIO instruction Returning an abort to the guest for an unsupported MMIO access is a documented feature of the KVM UAPI. Nevertheless, it's clear that this plumbing has seen limited testing, since...

pcp security update

5.3.7-22.0.1 - pcp-zoneinfo fix to replay ol7 archives Orabug: 35903733 - Backporting of python tool pcp-meminfo Orabug: 35759707 - Backporting of python tool pcp-slabinfo Orabug: 35560940 - Backporting of python tool pcp-buddyinfo Orabug: 35660932 - Backporting of python tool pcp-netstat Orabug:...

CVE-2024-39905 Red-DiscordBot vulnerable to Incorrect Authorization in commands API

Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the @commands.canmanagechannel command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of t...

CVE-2024-39905

The CVE-2024-39905 issue affects Red-DiscordBot caused by a bug in Red’s Core API: 3rd-party cogs using the can_manage_channel permission check may allow a user to run a command without channel management rights. Core commands/cogs are not affected. The vulnerability was patched in version 3.5.10...

CVE-2024-4013

A bug exists in the API, meshnodepoweroff, which fails to copy the contents of the Replay Protection List RPL from RAM to NVM before powering down, resulting in the ability to replay unsaved messages. Note that as of June 2024, the Gecko SDK was renamed to the Simplicity SDK, and the versioning...

CVE-2024-4013

The CVE-2024-4013 entry describes a bug in the API function mesh_node_power_off() where Replay Protection List (RPL) contents are not copied from RAM to NVM before shutdown. This prevents preservation of RPL state and enables replay of unsaved messages. The entry notes a renaming from Gecko SDK t...

CVE-2024-26831

In the Linux kernel, the following vulnerability has been resolved: net/handshake: Fix handshakereqdestroytest1 Recently, handshakereqdestroytest1 started failing: Expected handshakereqdestroytest == req, but handshakereqdestroytest == 0000000000000000 req == 0000000060f99b40 not ok 11 reqdestroy...

CVE-2024-26831

CVE-2024-26831 : Linux kernel vulnerability affecting the handshake path in net/handshake, where the test handshake_req_destroy_test1 failed due to replacing sock_release(sock) with fput(filp). This change delayed final close/cleanup, risking that hp_destroy might not be invoked before the test c...

CVE-2024-26831 net/handshake: Fix handshake_req_destroy_test1

In the Linux kernel, the following vulnerability has been resolved: net/handshake: Fix handshakereqdestroytest1 Recently, handshakereqdestroytest1 started failing: Expected handshakereqdestroytest == req, but handshakereqdestroytest == 0000000000000000 req == 0000000060f99b40 not ok 11 reqdestroy...

OESA-2024-1068 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: An issue was discovered in the Linux kernel before 6.6.8. roseioctl in net/rose/afrose.c has a use-after-free because of a roseaccept race condition.CVE-2023-51782 A memory leak problem was found in ctnetlinkcreateconntrack in...

Internet Bug Bounty: Authenticated but unauthorized users may enumerate Application names via the API

An information disclosure vulnerability existed in all versions of Argo CD starting with v0.5.0, allowing authenticated but unauthorized users to enumerate application names via API error messages. This could be used as a starting point for further attacks, such as social engineering. The...