Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15

In the Linux kernel, the following vulnerabilities have been resolved: arm64: mm: fixed the sanity check for VA-range Both createmappingnoalloc and updatemappingprot perform sanity checks on their ‘virt’ parameter. However, the check itself doesn’t make much sense. The condition used today seems ...

GHSA-PMF3-2Q63-JMP6 Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7xr2-q9vf-x4r5. This link is maintained to preserve external references. Original Description OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers tha...

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS in the content field during page creation and update operations, where user-supplied HTML is stored without proper sanitization and rendered...

LinkAce 代码问题漏洞

LinkAce is a self-hosted repository developed by Kevin Woblick, designed to collect links to your favorite websites. Versions of LinkAce prior to 2.5.4 had code vulnerabilities. These vulnerabilities stemmed from insufficient checks on private IP addresses, allowing authenticated users to read...

CVE-2026-27807

MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML files to create/update various entities e.g., assignment settings. These YAML files are parsed with aliases enabled. This issue has been patch...

CVE-2025-66923

A Cross-site scripting XSS vulnerability in Create/Update Customers in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phonenumber parameter...

CVE-2025-66923

A Cross-site scripting XSS vulnerability in Create/Update Customers in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phonenumber parameter...

CVE-2025-34265

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting XSS vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings o...

CVE-2025-51487

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article...

CVE-2025-51489

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened...

CVE-2025-51489

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened...

CVE-2025-51487

A Stored Cross-Site Scripting XSS vulnerability exists in MoonShine version 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article...

PT-2025-23244 · Freescout · Freescout

Name of the Vulnerable Software and Affected Versions: FreeScout versions prior to 1.8.180 Description: The issue is related to insufficient input validation during user creation, resulting in a mass assignment vulnerability. This vulnerability allows an attacker to manipulate all fields of the...

The vulnerability of sub-components of the Create, Update, Authoring Flow component of the Oracle Knowledge Management component of the Oracle E-Business Suite allows a malicious actor to gain access to read, modify, add, or delete data.

The vulnerability of the Create, Update, Authoring, and Flow components of the Oracle Knowledge Management component within the Oracle E-Business Suite exists due to insufficient validation of input data. Exploiting this vulnerability can allow an attacker, operating remotely, to gain access to...

Microsoft to Pay $20 Million Penalty for Illegally Collecting Kids' Data on Xbox

Microsoft has agreed to pay a penalty of $20 million to settle U.S. Federal Trade Commission FTC charges that the company illegally collected and retained the data of children who signed up to use its Xbox video game console without their parents' knowledge or consent. "Our proposed order makes i...