CVE-2026-34743

XZ Utils contains a vulnerability (CVE-2026-34743) in lzma_index_append() when decoding an empty index with lzma_index_decoder(), which could leave the index in a state that permits a buffer overflow. The issue affects versions prior to 5.8.3; a patch is available in 5.8.3. Affected component is ...

CVE-2026-34743

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindexappend would allocate too little...

CVE-2026-34743

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindexappend would allocate too little...

Slackware: Security Advisory (SSA:2026-090-01)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2026-29689

Name of the Vulnerable Software and Affected Versions XZ Utils versions prior to 5.8.3 Description XZ Utils, a data-compression library and command-line tools, had a flaw where the lzma index decoder function, when processing an Index without Records, could leave the lzma index in a state leading...

OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

Summary The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file agents.create and agents.update still use raw fs.appendFile on the IDENTITY.md file without any symlink...

GHSA-7XR2-Q9VF-X4R5 OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

Summary The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file agents.create and agents.update still use raw fs.appendFile on the IDENTITY.md file without any symlink...

SUSE CVE-2026-30926

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory

A flaw was found in glibc. When the wordexp function is called with the flags WRDEREUSE and WRDEAPPEND, it may return uninitialized memory. If the caller inspects the wewordv array or calls the wordfree function to free the allocated memory, the process will abort, resulting in a denial of servic...

GO-2026-4658 SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren in github.com/siyuan-note/siyuan/kernel

SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren in github.com/siyuan-note/siyuan/kernel...

CVE-2026-1708 Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the dbwhereconditions method in the TDDBModel class failing to prevent the appendwheresql paramet...

CVE-2026-1708

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection in all versions up to, and including, 1.6.9.27. This is due to the dbwhereconditions method in the TDDBModel class failing to prevent the appendwheresql paramet...

CVE-2026-1708

The CVE-2026-1708 entry concerns the WordPress plugin “Appointment Booking Calendar — Simply Schedule Appointments” vulnerable to blind SQL injection in all versions up to 1.6.9.27. The root cause is in TD_DB_Model’s db_where_conditions, which fails to sanitize the append_where_sql parameter pass...

CVE-2026-30926

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

CVE-2026-30926

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

EulerOS 2.0 SP13 : glibc (EulerOS-SA-2026-1272)

According to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Passing too large an alignment to the memalign suite of functions memalign, posixmemalign, alignedalloc in the GNU C Library version 2.30 to 2.42 m...

CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

CVE-2026-30926

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

EUVD-2026-10394

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...

CVE-2026-30926 SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content

SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint...