CVE-2025-41118 Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage COS. If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secretkey configuration value from the...

CVE-2025-41118

Pyroscope (open-source continuous profiling DB) is affected when configured to use Tencent COS as the storage backend. The issue allows extraction of the secret_key configuration value from the Pyroscope API due to missing type protection, potentially exposing sensitive credentials to an attacker...

CVE-2026-34393 Weblate: Privilege escalation in the user API endpoint

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17...

CVE-2026-34393 Weblate: Privilege escalation in the user API endpoint

Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17...

CVE-2026-34393

Weblate (web-based localization tool) has a vulnerability in the user patching API endpoint that allows privilege escalation by not properly limiting edit scope in versions prior to 5.17. The issue has been fixed in 5.17. Affected component is the user API endpoint; root cause is insufficient sco...

CVE-2026-33214

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue b...

CVE-2026-33220

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this featur...

CVE-2026-33220 Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this featur...

CVE-2026-33220 Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this featur...

CVE-2026-33214

Weblate CVE-2026-33214 affects Weblate versions before 5.17 where the translation memory API exposed unintended endpoints and did not enforce proper access control. The underlying issue is improper access control in the memory API, potentially allowing unauthorized access to memory-related functi...

CVE-2026-33214 Weblate has improper access control for the translation memory API

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't enforce proper access control. This issue has been fixed in version 5.17. If users are unable to update immediately, they can work around this issue b...

CVE-2026-33212 Weblate: Improper access control for pending tasks in API

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

CVE-2026-33212

CVE-2026-33212 affects Weblate (web-based localization tool). The vulnerability lies in the tasks API where, in versions prior to 5.17, access control for pending tasks was not enforced, potentially exposing in-progress task logs to users without the proper scope. The attack requires brute-forcin...

Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: tomcat10: tomcat10-10.1.54-1.hum1 noarch tomcat10-admin-webapps-10.1.54-1.hum1 noarch tomcat10-common-10.1.54-1.hum1 noarch tomcat10-docs-webapp-10.1.54-1.hum1 noarch...

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

Threat actors have been observed weaponizing n8n, a popular artificial intelligence AI workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these...

SUSE CVE-2026-33018

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the loadgif function in fromgif.c, where a single sixelframet object is reused across all frames of an animated GIF and gifinitframe unconditionally...

WordPress Accessibly plugin <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API vulnerability

Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API vulnerability discovered by WordFence in WordPress Plugin Accessibly WordPress Website Accessibility versions = 3.0.3...

CVE-2026-27769

Mattermost CVE-2026-27769 affects Mattermost 10.11.x up to 10.11.12 where the Connected Workspaces feature does not validate that users are correctly owned by the target Connected Workspace. This allows a malicious remote server connected via the Connected Workspaces API to change the displayed s...

CVE-2026-3643

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...

CVE-2026-5088 Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts

Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. The makesalt and makesaltbcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply...