CVE-2026-4035

A flaw was found in MLflow. This vulnerability allows an attacker to exfiltrate sensitive server-side environment credentials. It occurs because the AI Gateway secrets can resolve environment variables, which are then sent to an attacker-controlled endpoint. This could lead to unauthorized access...

Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...

GHSA-M6VC-F87M-CC2H Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...

CVE-2026-10729

An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting XSS in emails clients that render HTML emails. This issue affects Canarytokens: fr...

CVE-2026-10729

The CVE-2026-10729 entry covers an HTML injection vulnerability in Thinkst Applied Research Canarytokens specifically in the notification email delivery. Affected component: Canarytokens notification emails that render HTML. Root cause described: HTML injection can enable Interface Manipulation a...

ShellShock - Remote Code Execution

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the modcgi and modcg...

[SECURITY] Fedora 43 Update: netatalk-4.4.3-1.fc43

Netatalk is a freely-available Open Source AFP file server. A NIX/BSD system running Netatalk is capable of serving many Macintosh clients simultaneously as an AppleShare file server AFP. In addition to the AFP file server daemon, the following utility programs are also included: ad - AppleDouble...

[SECURITY] Fedora 44 Update: perl-libwww-perl-6.83-1.fc44

The libwww-perl collection is a set of Perl modules which provides a simple a nd consistent application programming interface to the World-Wide Web. The main focus of the library is to provide classes and functions that allow you to write WWW clients. The library also contain modules that are of...

CVE-2026-9137

The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses kafka-clients-3.9.1.jar which is vulnerable to CVE-2026-35554

Summary Security Bulletin: IBM Maximo Application Suite - Monitor Component uses kafka-clients-3.9.1.jar which is vulnerable to CVE-2026-35554.This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-35554 DESCRIPTION: A race condition in the Apache...

SUSE CVE-2026-5947

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG0, it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached as would occur during a query...

DEBIAN-CVE-2026-45076

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This...

CVE-2026-45076

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This...

CVE-2026-45076

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This...

CVE-2026-45076 Synapse pagination denial of service

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This...

CVE-2026-9796 Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...

CVE-2026-9796 Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...

CVE-2026-9796

This CVE (CVE-2026-9796) affects Keycloak. An authenticated administrator with the manage-clients role can trigger a TOCTOU flaw in the name-based admin role checks, allowing escalation to realm-admin for all users in the realm. The compromised composite role relationship persists after the attac...

EUVD-2026-32716

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...

CVE-2026-9796

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...