USN-7990-5: Linux kernel (Azure) vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Padata parallel execution mechanism; - Netfilter; CVE-2022-49698, CVE-2025-21726, CVE-2025-400...

PT-2026-20980

Frappe Learning Management System LMS is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release...

PT-2026-21285

Name of the Vulnerable Software and Affected Versions PROLiNK PRC2402M versions prior to 2021-06-13 Description The PROLiNK PRC2402M router firmware contains a flaw that allows for arbitrary OS command execution. The issue resides in the live api.cgi script when handling the page=satellite list...

Music Assistant 代码问题漏洞

Music Assistant is an open-source media library manager developed by Music Assistant. Versions of Music Assistant 2.6.3 and earlier contained code vulnerabilities. These vulnerabilities stemmed from the music/playlists/update API, which allowed bypassing the .m3u extension restriction and allowin...

CVE-2026-26953

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...

a-api-server (=1.3.0), a2 (>=0.1.0 <=0.3.17) +3876 more potentially affected by CVE-2026-27205 via flask (>=0.10.1 <=3.1.2)

flask PYPI version =0.10.1, =0.1.0, =0.10.0, =1.0.2, =1.0.0, =1.0.5, =1.8.8, =1.0.2, =0.3.1, =0.8.44.4, =1.3.1.post1 and more Source cves: CVE-2026-27205 Source advisory: OSV:GHSA-68RP-WP8R-4726...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.2)

devalue NPM version =5.0.0, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =4.0.1 and...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.2)

devalue NPM version =5.0.0, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =4.0.1 and...

CVE-2026-26063

CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networ...

CVE-2026-26057

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of...

CVE-2026-26063 CediPay Affected by Improper Input Validation in Payment Processing

CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networ...

CVE-2026-26057

The CVE-2026-26057 entry documents a vulnerability in Skill Scanner’s API Server where erroneous binding to multiple interfaces allows an unauthenticated, remote attacker to interact with the server API, potentially causing memory starvation (DoS) or uploading files to arbitrary folders. Affected...

CVE-2026-26057 Skill Scanner Unsecured Network Binding Vulnerability

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of...

CVE-2026-26057 Skill Scanner Unsecured Network Binding Vulnerability

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via throttling policy import API. An attacker can execute arbitrary code by uploading a specially crafted file to a user-controlled location. Remediation Upgrade org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl t...

GHSA-P6JF-79J3-33F3 carbon-apimgt does not properly restrict uploaded files

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by...

carbon-apimgt does not properly restrict uploaded files

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST API. Successful uploads may lead to remote code execution. By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by...

GHSA-5VVM-67PJ-72G4 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints

Summary Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the ability to manage promotion-related resources from the ability to trigger promotions,...

CVE-2025-71241 SPIP < 4.3.6 Cross-Site Scripting in Private Area

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting XSS in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen...

USN-8033-8 linux-intel-iotg vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Nios II architecture; - Sun Sparc architecture; - User-Mode Linux UML; - x86 architecture; - Block layer subsystem;...