SUSE-SU-2026:0483-1 Security update for zabbix

This update for zabbix fixes the following issues: - CVE-2024-36469: Introduced clamping for mitigation of timing attacks. bsc1240676 - CVE-2024-42325: Restricted access to user fields using user.get API method for users of User and Admin type, and restricted access to alert entities using...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /api/users endpoint. An attacker can access sensitive information by sending a specially crafted request. Remediation There is no fixed version for...

UBUNTU-CVE-2025-14594

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API...

PT-2026-7522

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.11 through 18.6.5 GitLab CE/EE versions 18.7 through 18.7.3 GitLab CE/EE versions 18.8 through 18.8.3 Description An authenticated user could potentially view certain pipeline values by querying the API under specific...

Silicon Labs Simplicity Device Manager Tool 安全漏洞

The Silicon Labs Simplicity Device Manager Tool is a hardware enumeration, configuration, and fault-diagnosis tool developed by Silicon Labs, Inc. The tool has a security vulnerability caused by reflective cross-site scripting in multiple API endpoints. This vulnerability could allow attackers to...

CVE-2026-25958

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14...

Sensitive Information Disclosure

Amazon SageMaker Python SDK is vulnerable to sensitive information disclosure. The vulnerability is due to the ModelBuilder HMAC signing key being returned in cleartext in the DescribeTrainingJob API response, which allows an attacker with API access and S3 output write permissions to upload...

EUVD-2025-206899

Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service DoS attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability ...

PT-2026-6873

Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service DoS attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability ...

HCL Velocity 安全漏洞

HCL Velocity is a value stream management and release platform developed by the Indian company HCL. There is a security vulnerability in HCL Velocity, which stems from the lack of rate limits being enforced for certain API calls, potentially leading to denial-of-service attacks...

CVE-2026-25729

DeepAudit is affected by an improper access control vulnerability in the /api/v1/users/ endpoint present in version 3.0.4 and earlier. An authenticated user can enumerate all users and retrieve sensitive fields (emails, phone numbers, full names, roles). The issue is documented across multiple so...

CVE-2025-70963

Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2026-0598

A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could acces...

CVE-2026-25505

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...

Bambuddy 安全漏洞

Bambuddy is a self-hosted printing management system for 3D printers developed by MartinNYHC’s individual developer. Versions of Bambuddy prior to 0.1.7 contained security vulnerabilities. These vulnerabilities stemmed from hard-coded keys and the lack of authentication checks on ManyAPI routes,...

Linux Distros Unpatched Vulnerability : CVE-2025-13978

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowe...

WordPress Getwid plugin <= 2.0.10 - Missing Authorization to Google API key update vulnerability

Missing Authorization to Google API key update vulnerability discovered by Peter Thaleikis in WordPress Plugin Getwid versions = 2.0.10...

EUVD-2024-55391

Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X...

CVE-2026-25040 Budibase Vulnerable to Privilege Escalation via API Abuse – Creator Can Invite Users with Admin/Any Role

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or Ap...

latex.teainside.org security vulnerabilities

latex.teainside.org is a web interface for the LaTeX compiler developed by Ammar Faizi. Version 1.0 of latex.teainside.org has a security vulnerability; this vulnerability stems from the/api.php endpoint, which processes malicious LaTeX payloads, potentially leading to remote code execution...