CVE-2026-34087 Users API leaks whether privileged users have their user groups disabled for lack of 2FA

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from before 1.43.7, 1.44.4, 1.45.2...

[SECURITY] Fedora 42 Update: nextcloud-33.0.3-1.fc42

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

CVE-2026-42137 Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

Important: java-26-amazon-corretto

Issue Overview: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Security. Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalV...

GHSA-HQ28-CRG7-95PR Snipe-IT has Privilege Escalation via API Permissions Assignment

Impact An authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys...

CVE-2026-42176

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address...

CVE-2026-7475

The Sky Addons (WordPress) plugin, specifically Sky Elementor Addons with Widgets & Templates versions

Improper Authorization

github.com/mattermost/mattermost-server is vulnerable to improper authorization. The vulnerability is due to insufficient validation of team membership permissions in the Add Channel Member API, which allows an attacker to exploit the API endpoint to access user metadata and channel membership...

BIT-JRE-2026-34268

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Security. Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0....

BIT-JRE-2020-2590

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Security. Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via...

SmarterTools SmarterMail 路径遍历漏洞

SmarterTools SmarterMail is a set of email server software developed by SmarterTools Corporation. This software supports features such as spam filtering, data statistics, and Simple Mail Transfer Protocol SMTP authentication. Previous versions of SmarterTools SmarterMail version 9560 contained a...

PT-2026-38826

Vulnerability in Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java...

CVE-2026-8081

A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/apitools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote...

GHSA-98QH-XJC8-98PQ vulnerabilities

Vulnerabilities for packages: geoserver, seata, guacamole-client, camunda-zeebe, apache-hop-fips, debezium, sonarqube, druid, dependency-track, hono, nuxeo, apache-hop, kayenta-fips, thingsboard, dependency-track-apiserver, keycloak, kayenta, nacos-docker, keycloak-fips, flyway-fips,...

EUVD-2026-27861

A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit...

BIT-JAVA-MIN-2025-21502

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Orac...

BIT-JAVA-2025-21502

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Orac...

PT-2026-37728

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allow...

PT-2026-37805

Vulnerability in Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java...

Cisco ISE 安全漏洞

Cisco ISE is a NAC solution developed by the American company Cisco. It is used to manage access to network resources for endpoints, users, and devices in a zero-trust architecture. Cisco ISE has a security vulnerability that arises from observing error messages when calling affected API endpoint...