CVE-2026-23923

CVE-2026-23923 : An unauthenticated attacker can abuse the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. Impact depends on environment, but appears limited; CVSS 4.0 base vector lists MEDIUM severity (6.9). No concrete exploitation details or affected product/vendor are...

OPENSUSE-SU-2026:20412-1 Security update for salt

This update for salt fixes the following issues: Changes in salt: - Security issues fixed: CVE-2025-67724: fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: fixed HTTP header parameter parsing algorithm...

SUSE-SU-2026:20825-1 Security update for salt

This update for salt fixes the following issues: - Security issues fixed: CVE-2025-67724: missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: fix DoS via malicious HTTP request bsc1254905 CVE-2025-67726: fix HTTP header parameter parsing algorithm bsc1254904 - Fixed KeyError i...

SUSE-SU-2026:20820-1 Security update for salt

This update for salt fixes the following issues: - Security issues fixed: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: Fixed HTTP header parameter parsing algorithm bsc1254904...

PT-2026-27476

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An unauthenticated attacker can exploit the 'validate' action in the Frontend to blindly instantiate arbitrary PHP classes. The impact of this issue depends on t...

EUVD-2026-12548

The mailqueue TYPO3 extension has Insecure Deserialization in TransportFailure class...

CVE-2026-1323

The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at...

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Impact The GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.5.2-alpha.12 and 8.6.25 contain security vulnerabilities. These vulnerabilities stem from the ability to read, modify, and delete...

PYSEC-2026-98

A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling...

DEBIAN-CVE-2026-0847

A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling...

UBUNTU-CVE-2026-0847

A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling...

CVE-2026-28695

Craft is a content management system CMS. There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create Twig function combined with a Symfony Process gadget chain. The create Twig function exposes Craft::createObject, which allows instantiation of...

CVE-2026-28695 Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

Craft is a content management system CMS. There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create Twig function combined with a Symfony Process gadget chain. The create Twig function exposes Craft::createObject, which allows instantiation of...

-react-file-list-components (=1.1.1), 01basicreact (>=0.1.0 <=0.1.9) +29465 more potentially affected by CVE-2026-27601 via underscore (>=1.0.3 <=1.13.7)

underscore NPM version =1.0.3, =0.1.0, =0.1.0, =0.1.6 - 0beny1s =1.1.6 - 0scarclassa =1.0.1 - 0scarclassb =1.0.1 - 0scarclassc =1.0.1 - 0scarclassd =1.0.1 - 0scarclasse =1.0.1 - 0scarclassf =1.0.1 - 0scarclassg =1.0.1 - 0scarclassh =1.0.1 - 0scarclassi =1.0.1 - 0scarclassj =1.0.1 - 0scarclassk...

EUVD-2025-208180

Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the web application's...

CVE-2025-11165

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine VTools that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. By dynamically modifying the Velocity engine’s runtime configuration and...

SUSE-SU-2026:0631-1 Security update 5.1.2 for Multi-Linux Manager Salt Bundle

This update fixes the following issues: venv-salt-minion: - Backported security patches for Salt vendored tornado: CVE-2025-67724: Fixed missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: Fixed DoS via malicious HTTP request bsc1254905 CVE-2025-67726: Fixed HTTP header...

Security update 5.1.2 for Multi-Linux Manager Salt Bundle

This update fixes the following issues: venv-salt-minion: Backport security patches for Salt vendored tornado: CVE-2025-67724: missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: fix DoS via malicious HTTP request bsc1254905 CVE-2025-67726: fix HTTP header parameter parsing...

SUSE-SU-2026:0629-1 Security update 5.1.2 for Multi-Linux Manager Salt Bundle

This update fixes the following issues: venv-salt-minion: - Backport security patches for Salt vendored tornado: CVE-2025-67724: missing validation of supplied reason phrase bsc1254903 CVE-2025-67725: fix DoS via malicious HTTP request bsc1254905 CVE-2025-67726: fix HTTP header parameter parsing...