PT-2026-47687

A cross-site scripting XSS vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS...

PT-2026-47759

In the Linux kernel, the following vulnerability has been resolved: tun: free page on build skb failure in tun xdp one When build skb fails in tun xdp one, the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost net build xdp allocated for th...

PT-2026-47718

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted...

PT-2026-47772

Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Attackers can send GET requests with crafted SQL payloads in the albid parameter to extract sensitive...

PT-2026-47719

In the Linux kernel, the following vulnerability has been resolved: io uring/waitid: clear waitid info before copying it to userspace IORING OP WAITID stores its result fields in struct io waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, bu...

PT-2026-47768

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parameter. Attackers can send crafted requests to the admin-ajax.php endpoint with malicious SQL payload...

ROS-20260609-73-0003

The vulnerability of the RDP client FreeRDP is related to the escape of operations beyond the buffer in memory due to incorrect validation of input data. Exploiting this vulnerability can allow an attacker operating remotely to gain unauthorized access to protected information...

PT-2026-47684

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the six storage get user info and six storage update profile AJAX actions. This is due to the six storage getUserInfo...

PT-2026-47532

SAP S/4HANAOn-Premise contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access...

PT-2026-47641

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later...

PT-2026-47536

Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with...

PT-2026-47766

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space id parameter. Attackers can send GET requests to the booking-page endpoint with...

PT-2026-47763

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to...

GHSA-QM33-P5P9-F8VG nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

CVE-2026-11695

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-11695

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-11695

CVE-2026-11695 affects Google Chrome Passwords with an inappropriate implementation that allows a remote attacker to leak cross-origin data via a crafted HTML page. Affected product: Google Chrome (password handling). Root cause: improper handling leading to cross-origin data exposure. Impact: cr...

CVE-2026-11691

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-11691

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-11691

Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...