Infiltration Systems NetAware 缓冲区错误漏洞

Infiltration Systems NetAware is a network management tool developed by Invasion Systems Corporation, designed to monitor computer network activities and application usage. Version 1.20 of Infiltration Systems NetAware contains a buffer error vulnerability. This vulnerability stems from a buffer...

CVE-2026-33060 CKAN MCP Server: SSRF via base_url allows access to internal networks

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

CVE-2026-27979 Next.js: Unbounded postponed resume buffering can lead to DoS

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...

PT-2026-26096

Summary The @aborruso/ckan-mcp-server MCP server provides tools including ckan package search and sparql query that accept a base url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal...

PT-2026-29984

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.15 and prior to 1.6.15 Description A flaw exists in Roundcube Webmail that allows bypassing the remote image blocking feature through specially crafted SVG content within email messages. This bypass can...

Roundcube -- Multiple vulnerabilities

The Roundcube project reports: pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler password could get changed without providing the old password IMAP Injection + CSRF bypass in mail search remote image blocking bypass via various SVG animate attributes remot...

CVE-2026-25771

Wazuh vulnerability CVE-2026-25771 affects versions 4.3.0 through prior to 4.14.3. The DoS arises in the API authentication middleware: the async Starlette/Asyncio loop calls a synchronous generate_keypair function that performs blocking disk I/O on every request with a Bearer token, allowing an ...

CVE-2026-25771

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service DoS vulnerability exists in the Wazuh API authentication middleware middlewares.py. The application uses an asynchronous event...

CVE-2026-25771 Wazuh Vulnerable to Denial of Service via Synchronous I/O Blocking in Asynchronous Authentication Middleware

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.3.0 and prior to version 4.14.3, a Denial of Service DoS vulnerability exists in the Wazuh API authentication middleware middlewares.py. The application uses an asynchronous event...

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process

Summary A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's...

EUVD-2026-10713

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...

CVE-2026-30977

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...

EUVD-2026-10714

RenderBlocking is a MediaWiki extension that allows interface administrators to specify render-blocking CSS and JavaScript. Prior to 0.1.1, there is Stored XSS in renderblocking-css with Inline Assets mode. $wgRenderBlockingInlineAssets = true and editsitecss user rights are required. This...

CVE-2025-41759

An administrator may attempt to block all networks by specifying "\" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all...

PT-2026-24343

Name of the Vulnerable Software and Affected Versions MediaWiki RenderBlocking versions prior to 0.1.1 Description The RenderBlocking extension for MediaWiki allows interface administrators to specify render-blocking CSS and JavaScript. Prior to version 0.1.1, a Stored Cross-Site Scripting XSS...

EUVD-2026-10332

Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes...

CVE-2026-2261

Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes...

EUVD-2025-208364

An administrator may attempt to block all networks by specifying "" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all...

EUVD-2025-208365

An administrator may attempt to block all networks by specifying "" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all...

CVE-2025-41759

An administrator may attempt to block all networks by specifying "" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all...