CVE-2026-40926 WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

CVE-2026-40590

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already...

CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already...

CVE-2026-40590

FreeScout prior to 1.8.214 exposes a Change Customer flow (POST /customers/ajax, action=create) in the Change Customer modal. The endpoint skips unique-email validation under limited visibility, and if the provided email matches a hidden existing customer, Customer::create() reuses that hidden cu...

CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010844)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010844 advisory. In the Linux kernel, the following vulnerability has been resolved: iommu/fslpamu: Fix resource leak in fslpamuprobe The fslpamuprobe returns directly when createcsd...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011164)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011164 advisory. In the Linux kernel, the following vulnerability has been resolved: configfs: fix possible memory leak in configfscreatedir kmemleak reported memory leaks in...

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011370)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011370 advisory. In the Linux kernel, the following vulnerability has been resolved: net/smc: reduce rtnl pressure in smcpnetcreatepnetidslist Many syzbot reports show extreme rtnl...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011133)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011133 advisory. In the Linux kernel, the following vulnerability has been resolved: ext4: fix inode leak in ext4xattrinodecreate on an error path There is issue as follows when do...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011174)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011174 advisory. In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible UAF in snictgtcreate Smatch reports a warning as follows:...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-010914)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010914 advisory. In the Linux kernel, the following vulnerability has been resolved: coresight: syscfg: Fix memleak on registration failure in cscfgcreatedevice deviceregister calls...

EUVD-2026-23929

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFTReport::Create without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a...

CVE-2026-23757

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFTReport::Create without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a...

CVE-2026-33558

Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information wi...

CVE-2026-33558

CVE-2026-33558 affects Apache Kafka: the NetworkClient logs sensitive information at DEBUG level, exposing full requests/responses for certain APIs (AlterConfigsRequest, AlterUserScramCredentialsRequest, ExpireDelegationTokenRequest, IncrementalAlterConfigsRequest, RenewDelegationTokenRequest, Sa...

CVE-2026-40342

A flaw was found in Firebird, an open-source relational database management system. An authenticated user with CREATE FUNCTION privileges can exploit a path traversal vulnerability in the external engine plugin loader. This allows an attacker to use a crafted engine name to load an arbitrary shar...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the createuploadfile function. An attacker can upload arbitrary files by sending crafted requests to the affected API endpoint. Remediation Upgrade langflow-base to version 0.8.0 or higher. References - GitHub...

Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function createuploadfile of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack...

CVE-2026-6596

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function createuploadfile of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack...

CVE-2026-6598

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...