EUVD-2026-38596

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

Apache NiFi - Information Disclosure

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: smb: Client: Fixed an error in parsing OOB read responses for symlinks. When a CREATE command returns STATUSSTOPPEDONSYMLINK, the smb2checkmessage function returns success without performing any length validation. As a result,...

CVE-2026-41852

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The Kryo-based persistence serializers KryoStateMachineSerialisationService / AbstractKryoStateMachineSerialisationService deserialise persisted state-machine contexts without enabling...

CVE-2026-41852

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

UBUNTU-CVE-2026-41852

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

EUVD-2026-35340

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

CVE-2026-41852 Spring Framework Arbitrary Method Invocation in SpEL Expressions

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

CVE-2026-41852

The CVE affects Spring Framework via SpEL evaluation allowing arbitrary zero-argument method invocation in restricted/read-only contexts across multiple versions (7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48). Root cause is the SpEL evaluation logic, enabling invocation of unintended app...

CVE-2026-41852 Spring Framework Arbitrary Method Invocation in SpEL Expressions

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

PT-2026-47663

Name of the Vulnerable Software and Affected Versions Spring Framework versions 7.0.0 through 7.0.7 Spring Framework versions 6.2.0 through 6.2.18 Spring Framework versions 6.1.0 through 6.1.27 Spring Framework versions 5.3.0 through 5.3.48 Description A flaw in the Spring Expression Language SpE...

Security update for epiphany (important)

openSUSE Security Update: Security update for epiphany Announcement ID: openSUSE-SU-2026:0193-1 Rating: important References: 1208472 Cross-References: CVE-2023-26081 Affected Products: openSUSE Backports SLE-15-SP7 An update that fixes one vulnerability is now available. Description: This update...

OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option

A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorizedkeys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This coul...

WebADM Security Auditor and Content Exposure Scanner

This Python script is a defensive security auditing tool designed to analyze a target web application for potential information exposure and security misconfigurations, specifically focusing on environments resembling WebADM. This was tested on version 2.4.17-1...

Linux Distros Unpatched Vulnerability : CVE-2026-45913

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - net: bridge: mcast: always update mdbnentries for vlan contexts syzbot triggered a warning1 about the number of mdb entries in a context. It turned out that the...

SUSE CVE-2026-45913

In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: always update mdbnentries for vlan contexts syzbot triggered a warning1 about the number of mdb entries in a context. It turned out that there are multiple ways to trigger that warning today some got added...

CVE-2026-45913

A flaw was found in the Linux kernel's bridge multicast module. This vulnerability arises from an inconsistency in how the system tracks multicast database entries mdbnentries for virtual local area network VLAN contexts. A local user with network configuration privileges could exploit this by...

CVE-2026-42082 free5GC: Missing Concurrent NAS SMC Validation During NGAP Handover

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command,...

CVE-2026-45913

In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: always update mdbnentries for vlan contexts syzbot triggered a warning1 about the number of mdb entries in a context. It turned out that there are multiple ways to trigger that warning today some got added...