PT-2026-31447

A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request...

PT-2026-38563

Name of the Vulnerable Software and Affected Versions Go affected versions not specified Description The "go bug" command writes to two files with predictable names in the system temporary directory, such as "/tmp". An attacker with access to this directory can create a symbolic link symlink—a fi...

PT-2026-41279

Name of the Vulnerable Software and Affected Versions DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 Description A supply chain attack compromised official installation packages distributed via the legitimate website daemon-tools.cc between April 8, 2026, and May 5, 2026. Attackers...

PT-2026-31291

Name of the Vulnerable Software and Affected Versions The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net versions up to and including 1.1.5 Description The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPre...

Sonatype Nexus Repository 安全漏洞

Sonatype Nexus Repository is a repository manager developed by Sonatype, Inc. in the United States. It is primarily used for managing, storing, and distributing software. Versions of Sonatype Nexus Repository 3.90.2 and earlier contain security vulnerabilities. These vulnerabilities stem from...

Linux Distros Unpatched Vulnerability : CVE-2026-39860

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix...

Juniper Junos OS Vulnerability (JSA107807)

The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA107807 advisory. - A UNIX Symbolic Link Symlink Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their...

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which stems from the crypto/tls component. Sending multiple key update messages after a handshake in ...

VulnCheck KEV: CVE-2025-27817

A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url"...

CVE-2026-4406

The CVE concerns Gravity Forms for WordPress (≤ 2.9.30) with a Reflected XSS in the gform_get_config AJAX action via the form_ids parameter. The root cause is that GFCommon::send_json() returns JSON wrapped in HTML comments using echo/wp_die(), sending a text/html header instead of application/js...

CVE-2026-5671

A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Impacted is an unknown function of the file /admin/class%20schedule/deletebatch.php of the component Class Schedule Deletion Endpoint. Executing a manipulation of the argument bat...

CVE-2026-22675

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

CVE-2026-5676

A vulnerability was identified in Totolink A8000R 5.9c.681B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview std/internal/syscall/unix is a Go standard library package std/internal/syscall/unix Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition. Go Vulnerability Report:On Linux, if the target of Root.Chmod is replaced with a symlink while the chm...

CVE-2026-35533

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted a...

CVE-2026-20911

A flaw was found in LibRaw. A remote attacker can exploit a heap-based buffer overflow vulnerability in the HuffTable::initval functionality by providing a specially crafted malicious file. This can lead to arbitrary code execution or a denial of service DoS on the affected system. Mitigation...

CVE-2026-39366

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...

OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit...

CVE-2026-39366 WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...

CVE-2026-39366

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...