Security update 5.1.2 for Multi-Linux Manager Client Tools

This update fixes the following issues: dracut-saltboot: Update to version 1.1.0 Retry DHCP requests up to 3 times bsc1253004 golang-github-QubitProducts-exporterexporter: Non-customer-facing optimization around source building golang-github-boynux-squidexporter: Update to version 1.13.0...

CVE-2026-2974

AliasVault App (up to 0.25.3) on Android/iOS contains a vulnerability in the Backup Handler that manipulates tokens inside shared_prefs/aliasvault.xml (accessToken/refreshToken/metadata/key_derivation_params/auth_methods). This can expose backup files to an unauthorized control sphere through a l...

CVE-2026-2968

Cesanta Mongoose up to 7.20 is affected in mg_chacha20_poly1305_decrypt (tls_chacha20.c, Poly1305 Authentication Tag Handler). The issue is improper verification of the cryptographic signature, with a remote attack vector. Descriptions indicate high complexity for exploitation and that the exploi...

CVE-2026-2898

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

Exploit for Deserialization of Untrusted Data in Nextgen Mirth_Connect

CVE-2023-43208 — Mirth Connect Pre-Auth RCE Pre-authenticated...

GHSA-GCXP-XG77-798J funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

CVE-2026-2898

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

CVE-2026-2898

The CVE concerns funadmin up to 7.1.0-rc4, affecting the Backend Endpoint through the function getMember in app/common/service/AuthCloudService.php. The issue stems from deserialization triggered by manipulating the cloud_account argument, enabling a remote attack. The exploit is publicly availab...

CVE-2026-2898 funadmin Backend Endpoint AuthCloudService.php getMember deserialization

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

CLSA-2026-1771663697 curl: Fix of 2 CVEs

CVE-2025-14524: fix OAuth2 bearer token leak on cross-protocol redirect - CVE-2025-15224: fix libssh public-key auth fallback to SSH agent...

MAL-2026-975 Malicious code in azure-postgresql-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bed0aaccd7198eac8f4076c1eec5f143ae28bdcfa8bbf990a62ff7c65411707 The package azure-postgresql-auth was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in azure-postgresql-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bed0aaccd7198eac8f4076c1eec5f143ae28bdcfa8bbf990a62ff7c65411707 The package azure-postgresql-auth was found to contain malicious code. Source: ossf-package-analysis...

Exploit for Code Injection in Ivanti Endpoint_Manager_Mobile

Ivanti EPMM pre-auth RCE Dummy Target A simple demo applicati...

a-api-server (=1.3.0), a2 (>=0.1.0 <=0.3.17) +3857 more potentially affected by CVE-2026-27205 via flask (>=0.10.1 <=3.1.2)

flask PYPI version =0.10.1, =0.1.0, =0.10.0, =1.0.2, =1.0.0, =1.0.5, =1.8.8, =1.0.2, =0.3.1, =0.8.44.4, =1.3.1.post1 and more Source cves: CVE-2026-27205 Source advisory: OSV:GHSA-68RP-WP8R-4726...

GHSA-GQ3J-XVXP-8HRF Hono added timing comparison hardening in basicAuth and bearerAuth

Summary The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe. The timingSafeEqual function used normal string equality === when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing...

CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...

SUSE CVE-2026-23125

In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTPCMDASSOCSHKEY right after SCTPCMDPEERINIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: ================================================================== KASAN:...

Splunk Enterprise 9.2.0 < 9.2.11, 9.3.0 < 9.3.8, 9.4.0 < 9.4.7, 10.0.0 < 10.0.2 (SVD-2026-0209)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2026-0209 advisory. - In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below...

OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated

Summary The gateway WebSocket connect handshake could allow skipping device identity checks when auth.token was present but not yet validated. Details In src/gateway/server/ws-connection/message-handler.ts, the device-identity requirement could be bypassed based on the presence of a non-empty...