Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments

Summary PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object order, which contains some sensitive fields such as custome...

Microsoft Windows Storage Spaces Controller 数字错误漏洞

Microsoft Windows Storage Spaces Controller is a necessary driver provided by Microsoft for providing storage space functions. There is a numerical error vulnerability in Microsoft Windows Storage Spaces Controller. Attackers can exploit this vulnerability to gain higher privileges. The following...

PT-2026-32684

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

Webkul Krayin CRM 安全漏洞

Webkul Krayin CRM is a free and open-source CRM solution for small and medium-sized businesses from the Indian company Webkul. Version 2.2.x of Webkul Krayin CRM contains a security vulnerability. This vulnerability stems from an object-level authorization flaw in the...

CVE-2026-38530

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

PT-2026-32683

A Broken Object-Level Authorization BOLA in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request...

DCSync Detection Without Signatures: Trellix NDR and the Power of Technique-Based Defense

DCSync Detection Without Signatures: Trellix NDR and the Power of Technique-Based Defense By Maulik Maheta and Chao Sun · April 14, 2026 Executive summary A DCSync attack is one of the most formidable techniques an adversary can deploy after gaining a foothold in an Active Directory AD environmen...

CVE-2026-38530

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

Microsoft Windows Storage Spaces Controller 缓冲区错误漏洞

Microsoft Windows Storage Spaces Controller is a necessary driver provided by Microsoft for providing storage space functions. There is a buffer error vulnerability in Microsoft Windows Storage Spaces Controller. Attackers can exploit this vulnerability to gain elevated privileges. The following...

CVE-2026-38529

A Broken Object-Level Authorization BOLA in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request...

Webkul Krayin CRM 安全漏洞

Webkul Krayin CRM is a free and open-source CRM solution for small and medium-sized businesses from the Indian company Webkul. Version 2.2.x of Webkul Krayin CRM contains a security vulnerability. This vulnerability stems from an object-level authorization flaw in the /Settings/UserController.php...

CVE-2026-32270

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...

CVE-2026-32270

The CVE affects Craft Commerce (Craft CMS) where PaymentsController::actionPay leaks order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. In affected versions 4.0.0–4.10.2 and 5.0.0–5.5.4, the JSON error response includes the ...

CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...

CVE-2026-31426

A flaw was found in the Linux kernel's Advanced Configuration and Power Interface ACPI Embedded Controller EC subsystem. During the setup of the EC handler, if a probe deferral occurs on specific hardware, the system fails to properly deallocate resources. This oversight creates a use-after-free...

GHSA-R2PG-R6H7-CRF3 External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine

Summary The v2 template engine in runtime/template/v2/template.go imports Sprig’s TxtFuncMap and removes env and expandenv, but leaves getHostByName available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated...

External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine

Summary The v2 template engine in runtime/template/v2/template.go imports Sprig’s TxtFuncMap and removes env and expandenv, but leaves getHostByName available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated...

EUVD-2026-21953

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

CVE-2026-31426

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

CVE-2026-31426

Summary: CVE-2026-31426 concerns the Linux kernel ACPI EC handling. When ec_install_handlers() defers probing on reduced‑hardware platforms, the error path could leave a dangling EC space handler context if acpi_ec_setup() propagates the error, leading to use‑after‑free when AML accesses an OpReg...