CVE-2026-24049 wheel Allows Arbitrary File Permission Modification via Path Traversal

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the...

CVE-2026-23992

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to...

CVE-2026-23992 go-tuf improperly validates the configured threshold for delegations

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to...

Azure Linux 3.0 Security Update: kernel (CVE-2024-49980)

"The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-49980 advisory. - In the Linux kernel, the following vulnerability has been resolved: vrf: revert vrf: Remove unnecessary...

go-tuf data falsification vulnerability

go-tuf is a framework developed by The Update Framework for protecting software update systems. Versions of go-tuf from 2.0.0 to 2.3.1 had a data manipulation vulnerability due to improper configuration of the signature threshold. This vulnerability could allow unauthorized modifications to TUF...

Azure Linux 3.0 Security Update: kernel (CVE-2024-58100)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-58100 advisory. - In the Linux kernel, the following vulnerability has been resolved: bpf: check changespktdata property for...

Azure Linux 3.0 Security Update: kernel (CVE-2025-37992)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-37992 advisory. - In the Linux kernel, the following vulnerability has been resolved: netsched: Flush gsoskb list too during...

CVE-2021-47830

GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery CSRF vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not...

CVE-2021-47830

GetSimple CMS My SMTP Contact Plugin 1.1.1 is affected by a CSRF vulnerability. An attacker can lure an authenticated administrator to a malicious page to modify SMTP configuration settings, potentially enabling unauthorized changes. The vulnerability is CSRF with no direct remote code execution ...

Everest-core security vulnerabilities

Everest-core is a major component of the open-source electric vehicle charging software stack developed by EVerest. Versions of Everest-core prior to 2025.9.0 contained security vulnerabilities. These vulnerabilities stemmed from validation flaws when the default value of the session ID was 0,...

UBUNTU-CVE-2026-21947

Vulnerability in Oracle Java SE component: JavaFX. Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human...

MiracleLinux 9 : python-urllib3-1.26.5-3.el9_3.1 (AXSA:2024-7481:02)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-7481:02 advisory. python-urllib3: Cookie request header isn't stripped during cross-origin redirects CVE-2023-43804 urllib3: Request body not stripped after redirect...

MiracleLinux 8 : libarchive-3.3.3-3.el8 (AXSA:2022-3102:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-3102:01 advisory. libarchive: extracting a symlink with ACLs modifies ACLs of target CVE-2021-23177 libarchive: symbolic links incorrectly followed when changing mode...

WordPress plugin NotificationX has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Oracle ZFS Storage Appliance Kit security vulnerabilities

The Oracle ZFS Storage Appliance Kit is a storage device from the American company Oracle, which supports flash-based, PB-level file storage and includes an embedded Oracle database. Version 8.8 of the Oracle ZFS Storage Appliance Kit contains a security vulnerability. This vulnerability allows...

EUVD-2026-3286

Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...

GHSA-7CQ3-MHXQ-W946

creationtimestamp| type| source ---|---|--- 2026-01-17 12:45:03+00:00| seen| https://bsky.app/profile/nixpkgssecuritychanges.gerbet.me/post/3mcmndtqqbw2s...

CVE-2026-0820

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...

EUVD-2026-3150

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...

WordPress Plugin RegistrationMagic has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...