Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja from 0.20.2 to 2.2.0 contained security vulnerabilities. The vulnerability stemmed from a typo in the endpoint DELETE /api/v1/projects/:project/background; the permission being checked was CanRead...

PT-2026-26622

Summary The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Details The RemoveProjectBackground handler pkg/modules/background/handler/background.g...

Cross-site Scripting (XSS)

Overview @dicebear/core is an An avatar library for designers and developers. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized interpolation of user-supplied options in the createAvatar function. An attacker can execute arbitrary scripts in the context ...

Cross-site Scripting (XSS)

Overview @dicebear/initials is an Initials avatar style for DiceBear Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized interpolation of user-supplied options in the createAvatar function. An attacker can execute arbitrary scripts in the context of the...

SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials

Summary SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting XSS when applications pass untrusted input to createAvatar and serve the resulting SVG inline or...

Apple patches WebKit bug that could let sites access your data

Apple has released a Background Security Improvement to patch a flaw that could allow malicious websites to bypass browser protections and access data from other sites. What is it? The patched WebKit vulnerability is described as: “A cross-origin issue in the Navigation API was addressed with...

Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS

Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 CVSS score: N/A, has been described as a cross-origin issue in WebKit's Navigation API that could be...

CVE-2026-28674

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password qweasd123456 and ignores file content. A...

EUVD-2026-12663

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy...

CVE-2026-20643

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously...

UBUNTU-CVE-2026-20643

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously...

CVE-2026-20643

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously...

CVE-2026-20643

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously...

CVE-2026-20643

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously...

About the security content of Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2

About the security content of Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2 This document describes the content of Background Security Improvements. About Background Security Improvements Background Security Improvements deliver important security...

CVE-2026-20992

Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application...

CVE-2026-20992

Summary of disclosed details: The connected advisories indicate an improper authorization in Settings prior to SMR Mar-2026 Release 1, enabling a local attacker to disable the configuration of background data usage. The NCSC advisory confirms this family of fixes for Google Android and Samsung Mo...

CVE-2026-20992

Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application...

CVE-2026-20992

Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application...

CVE-2026-20992

Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application...