AlmaLinux 8 : nginx:1.24 (ALSA-2026:5581)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:5581 advisory. nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied connections CVE-2026-1642 Tenable has extracted the preceding description block directly...

CVE-2026-30458

An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack...

Traefik < 2.11.41 / 3.x < 3.6.11 Multiple Vulnerabilities

The version of Traefik installed on the remote macOS host is prior to 2.11.41 or 3.x prior to 3.6.11. It is, therefore, affected by multiple vulnerabilities: - mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across...

CVE-2026-4825

CVE-2026-4825 affects SourceCodester Sales and Inventory System 1.0. The vulnerability lies in the HTTP GET Parameter Handler for the file /update_sales.php, where manipulating the sid argument enables an SQL injection. The issue may be exploited remotely, and an exploit has been made public. No ...

CVE-2026-4824

A vulnerability has been found in Enter Software Iperius Backup up to 8.7.3. Affected by this issue is some unknown functionality of the component Backup Job Configuration File Handler. The manipulation leads to improper privilege management. The attack must be carried out locally. The attack is...

CVE-2026-4824

Technical details about CVE-2026-4824 (affected product, vulnerable component, exact exploit path, and remediation specifics) are not publicly provided in the supplied documents. Monitor for updates.

CVE-2025-64648

IBM Concert 1.0.0 through 2.2.0 transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques...

CVE-2026-1015 IBM InfoSphere Information Server is vulnerable to server-side request forgery

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

CVE-2026-4822

A vulnerability was detected in Enter Software Iperius Backup up to 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only...

USN-8125-1: Linux kernel (Azure) vulnerabilities

Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module LSM. An unprivileged local attacker could use these issues to load, replace, and remove arbitrary AppArmor profiles causing denial of service, exposure of sensitive information kernel memory, local...

EUVD-2026-15426

A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an affected device. This vulnerability is due to improper management of memory resources during TLS connection setup. An attacker could exploit this...

EUVD-2026-14486

AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification...

@grackle-ai/server has Missing WebSocket Origin Header Validation

Impact The WebSocket upgrade handler in the server validates authentication API key token or session cookie but does not check the Origin header. A malicious webpage on a different origin could initiate a WebSocket connection to ws://localhost:3000/ws if it can leverage the user's session cookie...

CVE-2026-25461

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through = 2.0.21...

CVE-2026-25354

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in skygroup Reebox reebox allows Reflected XSS.This issue affects Reebox: from n/a through 1.4.8...

GHSA-PQ2Q-RCW4-3HR6 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication. Problem Description A missi...

CVE-2026-26233 Denial of Service via HTTP/2 single packet attack on login endpoint

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

CVE-2026-26233 Denial of Service via HTTP/2 single packet attack on login endpoint

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

CVE-2026-26233

CVE-2026-26233 affects Mattermost releases 10.11.x to 11.4.x, where login requests are not rate-limited, enabling unauthenticated remote attackers to cause denial of service via an HTTP/2 single-packet attack with 100+ parallel login requests. No patch/version details are provided in the document...

CVE-2026-1519

A flaw was found in BIND. A remote attacker could exploit this vulnerability by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. This could cause the resolver to consume excessive CPU resources, leading to a denial of service DoS for legitimate users. Mitigation To mitigate...