CVE-2026-9059 NextGEN Gallery - SQL Injection

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function 'cleancolumn' in the data mapper layer that uses a...

CVE-2026-9059

NextGEN Gallery (WordPress) versions prior to 4.2.1 are vulnerable to an authenticated SQL injection. The issue is in the data mapper layer where _clean_column() uses a blacklist instead of a whitelist, allowing an authenticated attacker with the Administrator role (NextGEN Gallery overview capab...

MAL-2026-4581 Malicious code in idlidosa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c6cba2c58d95d705af7dc5bb1c630129127835fb1ef15d4ccf43ec2818bf632 The package is purpose-built tooling to defeat exam-proctoring / lockdown software, with multiple installer-machine integrity harms triggered when th...

CVE-2026-7385 Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

CVE-2026-7385 Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

CVE-2026-7385

The Decent Comments WordPress plugin (prior to version 3.0.2) exposes comment author and post author email addresses via its REST API without access restrictions, enabling unauthenticated users to enumerate registered email addresses. Root cause: insufficient access controls on the REST endpoint....

Astra Linux - уязвимость в chromium

Insufficient policy enforcement in the Web Payments API in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to bypass navigation restrictions through a crafted HTML page. Chromium security severity: Medium...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: hfs: Ensure that sb-sfsinfo is always cleaned up. When hfs was converted to the new mount API, a bug was introduced by changing the allocation pattern of sb-sfsinfo. If setupbdevsuper fails after a new superblock has been allocat...

Astra Linux - уязвимость в firefox, thunderbird

When using X11, text selected by the page using the Selection API is erroneously copied into the primary selection, a temporary storage similar to the clipboard. This bug only affects Firefox on X11. Other systems are unaffected. This vulnerability affects Firefox versions earlier than 120, Firef...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: unlink NAPIs from queues on error to open The CI detected a UaF in fbnic within the AFXDP section of the queues.py test. The UaF occurs in the skmarknapiidonce function call in xskbind. The NAPI has been freed. It see...

Astra Linux - уязвимость в chromium

Insufficient policy enforcement in the File System API of Google Chrome prior to version 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions through a crafted HTML page...

Astra Linux - уязвимость в chromium

Insufficient policy enforcement in the File System API of Google Chrome prior to version 88.0.4324.96 allowed a remote attacker to bypass the file extension policy through a crafted HTML page...

Astra Linux – Vulnerability in Chromium

The use of the after free operation in the File System API in Google Chrome before version 92.0.4515.131 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page...

Astra Linux - уязвимость в chromium

Chromium: CVE-2021-30610 Use after free in Extensions API...

Astra Linux - уязвимость в chromium

In the Blink Serial API in Google Chrome, a memory access out of bounds was allowed before version 97.0.4692.71. This allowed a remote attacker to perform a memory read through a crafted HTML page and a virtual serial port driver...

Astra Linux - уязвимость в chromium

The use of the after-free operation in the Webstore API in Google Chrome before version 98.0.4758.102 allowed attackers to exploit heap corruption by using a crafted HTML page. This was possible if an attacker convinced a user to install a malicious extension and compelled the user to perform...

Astra Linux - уязвимость в chromium

Inappropriate implementation in the Background Fetch API in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data through a crafted HTML page...

Astra Linux - уязвимость в chromium

Before version 101.0.4951.41, using the "after free" mechanism in the File System API in Google Chrome allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page...

Astra Linux - уязвимость в chromium

Inappropriate implementation in the Extensions API in Google Chrome prior to 104.0.5112.101 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts into the WebUI through a crafted HTML page...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: ath11k: fixed the kernel panic that occurred during the unloading/loading of ath11k modules. Fixed the call to netifnapidel from ath11kahbfreeextirq, to prevent the following kernel panic when unloading/loading ath11k modules...