CURL-CVE-2026-8458 wrong reuse for different services

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When...

CVE-2026-54762

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. When an Ingress is configured to use BasicAuth or DigestAuth, but the associated authentication secret cannot be resolved or is malformed, Traefik fails to apply the authentication middleware. This allows unauthenticated access...

CVE-2026-53622

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection allows unauthenticated clients to bypass router-specific mutual Transport Layer Security mTLS enforcement. When HTTP/3 is enabled and a router use...

USN-8457-2 mysql-8.0 vulnerabilities

USN-8457-1 fixed several vulnerabilities in MySQL. This update provides the corresponding fixes for MySQL on Ubuntu 20.04 LTS Original advisory details: It was discovered that MySQL Router incorrectly handled repeated TLS protocol upgrade requests. An unauthenticated remote attacker could possibl...

EUVD-2026-38689

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ callback userDetail with permissioncallback set to 'returntrue', and the function's home-grown authentication only...

EUVD-2026-38679

The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the pravelchangepassword AJAX handler — registered via wpajaxnoprivpravelchangepassword and...

PT-2026-51675

Name of the Vulnerable Software and Affected Versions SignUp & SignIn plugin for WordPress versions prior to 1.0.1 Description The SignUp & SignIn plugin for WordPress contains an authentication bypass that allows unauthenticated attackers to take over any account, including administrator account...

PT-2026-52126

Name of the Vulnerable Software and Affected Versions ATEN Unizon affected versions not specified Description An incorrect implementation of cryptographic signature verification in the updateWar method allows authenticated remote attackers to execute arbitrary code in the context of SYSTEM. This...

PT-2026-52120

Name of the Vulnerable Software and Affected Versions Unraid affected versions not specified Description A command injection flaw in the web server allows authenticated remote attackers to execute arbitrary code in the context of the www-data user. The issue occurs in the ToggleState.php file due...

PT-2026-52119

Name of the Vulnerable Software and Affected Versions Unraid Web Server affected versions not specified Description A command injection flaw in the FileUpload.php file allows authenticated remote attackers to execute arbitrary code in the context of the www-data user. The issue is caused by...

PT-2026-52118

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 8.5.1 Rocket.Chat versions prior to 8.4.4 Rocket.Chat versions prior to 8.3.6 Rocket.Chat versions prior to 8.2.6 Rocket.Chat versions prior to 8.1.6 Rocket.Chat versions prior to 8.0.7 Rocket.Chat versions prior ...

PT-2026-52138

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31 Description Cacti is an open source performance and fault management framework. A pre-authentication SQL Injection exists in the 'graph view.php' endpoint due to an unanchored FILTER VALIDATE REGEXP. SQL Injectio...

PT-2026-52137

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31 Description An unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This occurs because the rfilter request parameter is retrieved via...

PT-2026-51751

Name of the Vulnerable Software and Affected Versions curl versions 7.7 through 8.11.0 Description libcurl incorrectly reuses connections from its connection pool when certain mTLS mutual TLS configuration options are modified. Specifically, the configuration match checks failed to include option...

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

CVE-2026-47383

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no...

CVE-2026-46554

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row bu...

EUVD-2026-38594

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it's a duplicate of CVE-2026-56784...

CVE-2026-46548 NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins Slack, Discord, Mattermost, Teams because httpAgent / httpsAgent were passed as part of the request body rather th...

Security Bulletin: Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system

Summary IBM Storage Protect Snapshot For Windows is affected by allowing a remote unauthenticated attacker to bypass authentication and gain SYSTEM-level access due to a hardcoded credential. Vulnerability Details CVEID:CVE-2026-12628 DESCRIPTION: IBM Storage Protect Client 8.1.0.0 through 8.2.1....