CVE-2026-45628

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via childprocess.exec which runs through /bin/sh -c. User-supplied branch names, repository URLs, and Docker credentials are...

Security update for postgresql14

This update for postgresql14 fixes the following issues Update to version 14.23. Security issues: CVE-2026-6472: ensure the user has CREATE privilege on the schema specified bsc1265172. CVE-2026-6473: integer overflows in memory-allocation calculations bsc1265173. CVE-2026-6474: Guard against...

CVE-2018-25397 PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...

RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()

...

btrfs: fix double free in create_space_info() error path

...

[SECURITY] Fedora 43 Update: podofo-1.0.4-1.fc43

PoDoFo is a library to work with the PDF file format. The name comes from the first letter of PDF Portable Document Format. A few tools to work with PDF files are already included in the PoDoFo package. The PoDoFo library is a free, portable C++ library which includes classes to parse PDF files a...

SUSE CVE-2026-46129

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in createspaceinfo error path When kobjectinitandadd fails, the call chain is: createspaceinfo - btrfssysfsaddspaceinfotype - kobjectinitandadd - failure - kobjectput&spaceinfo-kobj - spaceinforelease -...

[SECURITY] Fedora 44 Update: podofo-1.0.4-1.fc44

PoDoFo is a library to work with the PDF file format. The name comes from the first letter of PDF Portable Document Format. A few tools to work with PDF files are already included in the PoDoFo package. The PoDoFo library is a free, portable C++ library which includes classes to parse PDF files a...

shopper 授权问题漏洞

Shopper is an open-source e-commerce management backend developed by Shopper Labs. Versions of Shopper prior to 2.8.0 had authorization-related vulnerabilities. These vulnerabilities stemmed from two authorization flaws in the team settings system: the mount method in Settings/Team/Index was not...

WordPress plugin WP Maps Pro 访问控制错误漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Linux Distros Unpatched Vulnerability : CVE-2026-46129

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - btrfs: fix double free in createspaceinfo error path When kobjectinitandadd fails, the call chain is: createspaceinfo - btrfssysfsaddspaceinfotype -...

CVE-2026-8809

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the aftervalidatesavepost function unconditionally trusting the attacker-controlled acfpostid POST...

CVE-2026-46178

A flaw was found in the Linux kernel. This vulnerability, located in the RDMA/mlx4 component, is due to a resource leak during error handling in the mlx4ibcreatesrq function. An attacker could potentially exploit this flaw to cause a denial of service by exhausting system resources...

CVE-2026-46138

A flaw was found in the Linux kernel's Bluetooth subsystem, specifically within the hcilecreatebigcompleteevt function. A remote attacker, by sending a specially crafted LECreateBIGComplete event from a malicious Bluetooth controller, could trigger an out-of-bounds read and an infinite loop. This...

CVE-2026-45374 CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the taskcreate tool spawns durable sub-agents that inherit two insecure defaults, allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue and autoapprove defaults to true taskmanager.rs:297: autoapprove:...

CVE-2026-45374 CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the taskcreate tool spawns durable sub-agents that inherit two insecure defaults, allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue and autoapprove defaults to true taskmanager.rs:297: autoapprove:...

CVE-2026-45374

CVE-2026-45374 affects CodeWhale’s DeepSeek+MiMo task_create flow. Before version 0.8.26, sub-agents inherit two insecure defaults: allow_shell = true and auto_approve = true, enabling unrestricted, unapproved shell access after user approval of a task_create prompt. This can lead to remote comma...

CVE-2026-40914

A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for...

EUVD-2026-32894

A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for...

CVE-2026-40914 Apache Artemis Stomp Protocol, Apache ActiveMQ Artemis Stomp Protocol: Address routing-type can be updated by STOMP protocol user without the createAddress permission

A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for...