CVE-2026-25219 Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access

The accesskey and connectionstring connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure...

SUSE-SU-2026:1122-1 Security update for redis

This update for redis fixes the following issue: - a user can manipulate data read by a connection by injecting sequences into a Redis error reply bsc1258706...

Devolutions Server < 2025.3.15 Multiple Vulnerabilities (DEVO-2026-0004)

The version of Devolutions Server installed on the remote host is prior to 2025.3.15. It is, therefore, affected by multiple vulnerabilities: - A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries. CVE-2026-1768 -...

CVE-2026-3131

Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data...

CVE-2026-3131

Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data...

CVE-2026-3131

CVE-2026-3131 affects Devolutions Server 2025.3.14.0 and earlier. The issue is improper access control in multiple DVLS REST API endpoints, allowing an authenticated user with view‑only permission to access sensitive connection data. The provided documents do not include exploitation details or a...

CVE-2026-3131

Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data...

PT-2026-21792

Name of the Vulnerable Software and Affected Versions Devolutions Server versions 2025.3.14.0 and earlier Description An issue exists in Devolutions Server where improper access control in several DVLS REST API endpoints allows an authenticated user with view-only permissions to access sensitive...

GHSA-Q475-2PGM-7HVP Apache Airflow: Connection sensitive details exposed to users with READ permissions

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was...

CVE-2025-54831

Apache Airflow 3.x (notably 3.0.3) exposes sensitive connection details to users with READ permissions via API/UI, bypassing AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS. Affected: Airflow 3.0.3; mitigation is upgrading to 3.0.4 or newer. This issue does not affect Airflow 2.x, where the behavio...

CVE-2025-54831 Apache Airflow: Connection sensitive details exposed to users with READ permissions

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was...

scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated

...

SUSE CVE-2025-38700

In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsiconn-dddata only if memory is allocated In case of an ibfastregmr allocation failure during iSER setup, the machine hits a panic because iscsiconn-dddata is initialized unconditionally, even when n...

DEBIAN-CVE-2025-38700

In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsiconn-dddata only if memory is allocated In case of an ibfastregmr allocation failure during iSER setup, the machine hits a panic because iscsiconn-dddata is initialized unconditionally, even when n...

CVE-2025-38700

In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsiconn-dddata only if memory is allocated In case of an ibfastregmr allocation failure during iSER setup, the machine hits a panic because iscsiconn-dddata is initialized unconditionally, even when n...

AZL-73932 CVE-2025-38700 affecting package kernel for versions less than 5.15.200.1-1

In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsiconn-dddata only if memory is allocated In case of an ibfastregmr allocation failure during iSER setup, the machine hits a panic because iscsiconn-dddata is initialized unconditionally, even when n...

Citrix Director - Unable to retrieve the list of Connections

Citrix Director does not show any 'Connection' information under 'Filters'. There is an error displayed in Director: "Data source unresponsive or reported an error. View Director server event logs for further information Refer Citrix KB article CTX130320" You can also find an event ID 5 logged by...

PT-2024-18182 · WordPress · The Scheduling Plugin – Online Booking

Name of the Vulnerable Software and Affected Versions: The Scheduling Plugin – Online Booking for WordPress plugin versions up to, and including, 3.5.10 Description: The issue is related to a missing capability check on the cbsb disconnect settings function, which allows unauthenticated attackers...

WordPress plugin Scheduling Plugin - Online Booking Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

CVE-2023-6964

The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.26 via the 'kadenceimportgetnewconnectiondata' AJAX action. This makes it possible for authenticated attackers, with...