GHSA-JP94-3292-C3XV vulnerabilities

Vulnerabilities for packages: gitlab-rails-ce-fips, gitlab-rails-ce...

CVE-2026-42291

SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and...

GHSA-V2FC-QM4H-8HQV vulnerabilities

Vulnerabilities for packages: ruby4.0-rails, ruby3.4-rails, ruby3.2-rails, pact-broker-docker-fips, ruby3.3-rails, pact-broker-docker, kube-logging-operator...

PT-2026-38347

Name of the Vulnerable Software and Affected Versions IBM SDI versions 7.2.0.0 through 7.2.0.14 IBM Security Directory Integrator versions 10.0.0.0 through 10.0.0.2 Description A remote attacker can obtain sensitive information when the system returns detailed technical error messages in the...

GHSA-95Q8-X6R6-672M Lemmy may expose private community data through community, saved, liked, and modlog API views

Summary Lemmy applies private-community checks in PostView and CommentView, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower, can read private community sidebar and summary fields. Alice, a former accepted follower, can still...

Private Lemmy instances expose multi-community metadata without authentication

Summary readmulticommunity does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists. Details Other read handlers load localsite and call...

GHSA-JMXC-HHWX-GVV3 Private Lemmy instances expose multi-community metadata without authentication

Summary readmulticommunity does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists. Details Other read handlers load localsite and call...

CVE-2026-20185

A vulnerability in the Simple Network Management Protocol SNMP subsystem of Cisco 350 Series Managed Switches SG350 and Cisco 350X Series Stackable Managed Switches SG350X firmware could allow an authenticated, remote attacker to cause a denial of service DoS condition on an affected device. This...

Security Bulletin: Boundary Workers Vulnerable to Denial of Service During TLS Handshake

Summary Boundary Community Edition and Boundary Enterprise “Boundary” workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client...

Astra Linux - уязвимость в unbound

Before version 1.9.5, Unbound allowed configuration injection in the createunboundadservers.sh script after a successful man-in-the-middle attack on a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. createunboundadservers.sh is a contribute...

CVE-2026-6539 Notepad++ 8.9.3 Format String Injection via nativeLang.xml

Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through...

EUVD-2026-26436

Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through...

Linux Distros Unpatched Vulnerability : CVE-2025-3922

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have...

OpenKM 6.3.12 - Multiple

Exploit Title: OpenKM Multiple Critical Zero-Day Date: 17 Jan 2026 Exploit Author: Terra System Labs Pvt. Ltd. Vendor Homepage: https://www.openkm.com/ Software Link: https://hub.docker.com/r/openkm/openkm-ce Version: OpenKM Community Edition 6.3.12 and OpenKM Pro Edition 7.1.47 and previous...

CVE-2026-38934

Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settingsprocess.php...

CVE-2026-38936

A reflected cross-site scripting XSS vulnerability exists in diskover-community = 2.3.5 in public/selectindices.php via the namecontains parameter...

CVE-2026-38935

A reflected cross-site scripting XSS vulnerability exists in diskover-community = 2.3.5 in public/view.php via the doctype parameter...

Diskover Community Edition 跨站请求伪造漏洞

Diskover Community Edition is an open-source file manager developed by Diskover Data. Versions of Diskover Community Edition 2.3.5 and earlier contained a cross-site request forgeing vulnerability. This vulnerability arises from cross-site request forgery attacks, allowing remote attackers to...

Diskover Community Edition 跨站脚本漏洞

Diskover Community Edition is an open-source file manager developed by Diskover Data. Versions of Diskover Community Edition 2.3.5 and earlier had a cross-site scripting vulnerability, which stemmed from the doctype parameter in the public/view.php file, allowing for reflective cross-site scripti...

EUVD-2026-25889

Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settingsprocess.php...