Important: Red Hat Security Advisory: Multicluster Global Hub 1.4.5 security update

Multicluster Global Hub v1.4.5 general availability release images, which provide security fixes, bug fixes, and updated container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a...

CVE-2026-24085

Memory Corruption when processing display command line information due to improper initialization of a variable...

CVE-2026-24085 Stack-based Buffer Overflow in Display

Memory Corruption when processing display command line information due to improper initialization of a variable...

CVE-2026-28580

In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0095

The provided CVE-2026-0095 entries describe a vulnerability in the Bluetooth stack, specifically in the function l2c_fcr_clone_buf in l2c_fcr.cc. The issue is an integer overflow that can trigger controlled heap corruption within the privileged Bluetooth process, leading to local escalation of pr...

CVE-2026-0078

CVE-2026-0078 affects Android’s DevicePolicyManagerService (setGlobalProxy). The issue is a desync in persistence caused by improper input validation, enabling local privilege escalation with no extra execution privileges required. Exploitation is described as local and does not require user inte...

CVE-2026-0086

CVE-2026-0086 affects the Android component DisableSupervisionActivity.kt, where in onCreate a missing null check can permit deletion of supervision data. This enables local escalation of privilege without extra execution privileges and without user interaction. CVSSv3.1 vector (L, L, N, U) yield...

CVE-2026-0056

In setTo of ResourceTypes.cpp, there is a possible read out of bounds due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0044

CVE-2026-0044 affects the UBSan throwing runtime implementation (ubsan_throwing_runtime.cpp) across multiple functions. The vulnerability is caused by an integer overflow, which can crash the system and result in a remote denial of service. Exploitation requires network access with low attack com...

CVE-2026-45285

Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member a person added via email address who does not have a Nextcloud account, the...

CVE-2026-45284

Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0...

PortSwigger Web Security: Incomplete fix for CVE-2022-35406: meta-redirect content-type check bypassable via parameter injection

The fix for CVE-2022-35406 1541301 stops Burp from following a redirect when the response Content-Type/Content-Disposition would prevent HTML rendering. The check substring-matches html in the raw Content-Type instead of parsing the media type. A text/plain response can smuggle the token via a...

CVE-2026-45284

Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0...

Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin

On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduce...

GHSA-XWQ8-FRCG-77Q8 praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR

Summary Type: Insecure Direct Object Reference. The issue CRUD endpoints GET / PATCH / DELETE /workspaces/workspaceid/issues/issueid gate access on requireworkspacememberworkspaceid only, then resolve issueid through IssueService.getissueid which is a primary-key lookup with no workspace...

CVE-2026-9963

An uninitialized use flaw was found in the iOS component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=505143241...

SUSE-SU-2026:21880-1 Security update for vim

This update for vim fixes the following issues - CVE-2026-42307: Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim bsc1264706. - CVE-2026-43961: Vimscript Code Injection in netrw NetrwMarkFile via crafted filename bsc1265349. -...

SUSE-SU-2026:21886-1 Security update for the Linux Kernel (Live Patch 7 for SUSE Linux Enterprise Micro 6.0)

This update for the SUSE Linux Enterprise Kernel 6.4.0-29.1 fixes various security issues The following security issues were fixed: - CVE-2025-54518: AMD-SN-7052: CPU OP Cache Corruption bsc1264096. - CVE-2026-23243: RDMA/umad: Reject negative datalen in ibumadwrite bsc1259798. - CVE-2026-23274:...

SUSE-SU-2026:21932-1 Security update for the Linux Kernel (Live Patch 7 for SUSE Linux Enterprise Micro 6.0)

This update for the SUSE Linux Enterprise Kernel 6.4.0-29.1 fixes various security issues The following security issues were fixed: - CVE-2025-54518: AMD-SN-7052: CPU OP Cache Corruption bsc1264096. - CVE-2026-23243: RDMA/umad: Reject negative datalen in ibumadwrite bsc1259798. - CVE-2026-23274:...

USN-8349-1 rsync vulnerabilities

Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of service. CVE-2025-10158 Batuhan Sancak, Damien Neil, and Michael Stapelberg discovere...