WWBN AVideo 信息泄露漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to version 29 contain an information leakage vulnerability. This vulnerability stems from the git.json.php file located in the root directory, which executes and returns the complet...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-006953)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006953 advisory. In the Linux kernel, the following vulnerability has been resolved: dm thin: Use last transaction's pmd-root when commit failed Recently we found a softlock up probl...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011259)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011259 advisory. In the Linux kernel, the following vulnerability has been resolved: ext4: fix leaking uninitialized memory in fast-commit journal When space at the end of fast-commi...

PT-2026-34204

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description An incomplete fix in the CloneSite feature allows for the deletion of arbitrary files. The deleteDump parameter in a GET request does not properly filter path traversal sequences, such as ../.....

PT-2026-34201

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds isSSRFSafeURL validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013101)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013101 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: release mutex after nftgcseqend from abort path The commit mutex should not ...

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011041)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011041 advisory. In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: release mutex after nftgcseqend from abort path The commit mutex should not ...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011242)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011242 advisory. In the Linux kernel, the following vulnerability has been resolved: dm thin: Use last transaction's pmd-root when commit failed Recently we found a softlock up probl...

PT-2026-34223

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev98 Description An issue exists where role and permission are cached in the session during login. The system continues to authorize requests using these cached values even after an administrator modifies the...

Insights into Security-Related AI-Generated Pull Requests

Recent years have experienced growing contributions of AI coding agents that assist human developers in various software engineering tasks. However, this growing AI-assisted autonomy raises questions about security and trust. In this paper, we analyze more than 33,000 AI-generated pull requests P...

PT-2026-34216

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.1 Description An incomplete fix in the 'test.php' file allows for unsanitized input. While the wget path was secured using escapeshellarg, the file get contents and curl code paths remain unsanitized. Additionally,...

PT-2026-34178

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $ POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013247)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013247 advisory. Two memory leaks in the mwifiexpcieinitevtring function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel through 5.3.11 allow attackers to cause a...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-013204)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013204 advisory. In the Linux kernel, the following vulnerability has been resolved: dm thin: Use last transaction's pmd-root when commit failed Recently we found a softlock up probl...

Command Injection

Overview flowsint is an Add your description here Affected versions of this package are vulnerable to Command Injection via the orgtoasn transform process. An attacker can execute arbitrary operating system commands as root on the host machine by supplying shell metacharacters and escaping the...

CVE-2026-40494

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in tga.c has an asymmetric bounds check vulnerability. The run-packet path line 297 correctl...

CVE-2026-40492

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on pixmapdepth but the byte-swap code uses bitsperpixel independently. When...

CVE-2026-40493

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel bpp from raw header fields channels depth, but the pixel buffer is allocated base...

CVE-2026-40515

OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root directories that are not...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload due to concatenating tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. An attacker can cause unintended files to be installed by supplying a specially crafted archi...