CVE-2026-27101

Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application versions 5.28.00.xx–5.32.00.xx suffer an improper pathname restriction (path traversal) vulnerability. Root cause: insufficient validation of pathnames leading to restricted directories. Impact: potential remote code execution by a h...

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2026-1532)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1532 advisory. Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it...

Medium: runfinch-finch

Issue Overview: Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.5, Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services...

PT-2026-29478

Dell Secure Connect Gateway SCG 5.0 Appliance and Application versions 5.28.00.xx to 5.32.00.xx, contains an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability. A high privileged attacker within the management network could potentially exploit this...

CVE-2026-31946

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse method silently discards the...

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to path traversal (CVE-2026-29045) loss of integrity (CVE-2026-29085) and loss of confidentiality (CVE-2026-29086)

Summary Node.js module hono is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to path traversal CVE-2026-29045 loss of integrity CVE-2026-29085 and loss of confidentiality CVE-2026-29086. This bulletin provides patch...

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to cross-site scripting (CVE-2026-25896)

Summary Node.js module fast-xml-parser is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to cross-site scripting. This bulletin provides patch information to address the reported vulnerability in Node.js module...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to remote code execution (CVE-2026-27212)

Summary Node.js module swipper is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to remote code execution. This bulletin provides patch information to address the reported vulnerability in Node.js...

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to loss of confidentiality (CVE-2025-68121)

Summary IBM App Connect Enterprise Certified Container operator and DesignerAuthoring, IntegrationRuntime and IntegrationServer operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in Golang module crypto/tls...

BIT-GITLAB-2026-2370 Improper Handling of Parameters in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and...

SUSE CVE-2026-5119

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential...

Linux Distros Unpatched Vulnerability : CVE-2026-2370

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Conne...

CVE-2026-31946

OpenOLAT OpenID Connect implicit flow (versions 10.5.4–before 20.2.5) does not verify JWT signatures. The JSONWebToken.parse() method discards the signature segment, and getAccessToken() validates only issuer/audience/state/nonce, without cryptographic verification against the IdP’s JWKS. This ca...

CVE-2026-31946 OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse method silently discards the...

CVE-2026-31946

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse method silently discards the...

CVE-2026-31946 OpenOLAT: Authentication bypass via forged JWT in OIDC implicit flow

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse method silently discards the...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version v12.1.0.2 Vulnerability Details CVEID:CVE-2012-6708 DESCRIPTION: jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not differentiate selectors from HTML in a reliable...

CVE-2026-2370

A flaw was found in GitLab CE/EE. An authenticated user with minimal workspace permissions could exploit an improper authorization check within Jira Connect installations to obtain installation credentials and impersonate the GitLab application. This vulnerability could lead to unauthorized acces...

EUVD-2019-20047

Device Monitoring Studio 8.10.00.8925 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the server connection dialog. Attackers can trigger the crash by entering a malformed server name or address containing...

CVE-2019-25655

CVE-2019-25655 affects Device Monitoring Studio 8.10.00.8925 and is a Denial of Service vulnerability. The issue arises when a user provides an excessively long string to the server connection dialog, specifically by entering a malformed server name or address containing repeated characters via T...