CVE-2025-59108

CVE-2025-59108 affects the web interface of the dormakaba Access Manager. The issue is a weak/default password policy: the password is set to 'admin' by default and, in tested versions, changing it is not enforced, enabling unauthenticated access to the web UI. According to the available sources,...

PT-2026-4826

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2025.12.1 Description EVerest is an EV charging software stack susceptible to a bypass of sequence state verification, including authentication. This allows sending requests that transition to forbidden states,...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. Versions of the Tenda W30E such as V2 and V16.01.0.195037 had security vulnerabilities. These vulnerabilities stemmed from a maintenance interface that allowed changes to account passwords without verification of the existing...

PT-2026-4758

By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced...

pnpm security vulnerabilities

PNPM is a package manager developed by the open-source project Pnpm. Versions of Pnpm prior to 10.28.2 had security vulnerabilities. These vulnerabilities stemmed from the lack of path validation when processing the directories.bin field of packages. This allowed malicious npm packages to modify...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. The Tenda W30E V2 and earlier versions have security vulnerabilities. These vulnerabilities stem from an authorization flaw in the user management API, which may allow users with low privileges to change the password of administrat...

CVE-2026-23011 ipv4: ip_gre: make ipgre_header() robust

In the Linux kernel, the following vulnerability has been resolved: ipv4: ipgre: make ipgreheader robust Analog to commit db5b4e39c4e6 "ip6gre: make ip6greheader robust" Over the years, syzbot found many ways to crash the kernel in ipgreheader 1. This involves team or bonding drivers ability to...

CVE-2025-14907

The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the mspadminpage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forg...

CVE-2026-1075

CVE-2026-1075 – ZT Captcha (WordPress) : The WordPress plugin is vulnerable to Cross-Site Forgery (CSRF) in all versions up to 1.0.4 due to improper nonce validation on the save_ztcpt_captcha_settings action. This allows unauthenticated attackers to modify plugin settings via a forged request if ...

WordPress plugin Meta-box GalleryMeta has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-24055

Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow,...

Gitea improperly exposes issue and pull request titles

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications...

Ruoyi security vulnerabilities

Ruoyi is a backend management system developed by Ruoyi’s individual developer. The Ruoyi v4.8.2 version has a security vulnerability, which stems from improper access control in the update function. This vulnerability could allow unauthorized attackers to modify data beyond its intended scope...

Security update for php7

This update for php7 fixes the following issues: Security fixes: CVE-2025-14178: heap buffer overflow occurs in arraymerge when the total element count of packed arrays exceeds 32-bit limits or HTMAXSIZE bsc1255711. Other fixes: Add all php7 packages to PackageHUB unsupported, no source changes...

Improper Access Control

Pterodactyl is vulnerable to Improper Access Control. The vulnerability is due to failure to revoke active SFTP sessions when user permissions are removed or modified, which allows an attacker with an existing SFTP connection to retain unauthorized file access after their privileges are revoked...

AZL-75192 CVE-2026-24049 affecting package python-virtualenv 20.26.6-2

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the...

AZL-75195 CVE-2026-24049 affecting package python-wheel 0.43.0-1

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the...

AZL-77826 CVE-2026-24049 affecting package python-virtualenv 20.36.1-1

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the...

CVE-2026-24049

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the...

CVE-2026-24055

Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow,...