Security Bulletin: There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

Summary IBM Application Performance Management is vulnerable to denial of service, remote code execution, information disclosures and other vulnerabilities due to bundled product IBM ® Db2. This bulletin identifies the steps to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-361...

CVE-2026-44047

A flaw was found in Netatalk. This vulnerability, identified as a SQL injection in the MySQL CNID backend, could allow a remote attacker to execute arbitrary code or gain unauthorized access to sensitive information. Successful exploitation could lead to significant data compromise, data...

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.

...

Flattening of vulnerability issues within the Drupal core

Drupal has identified a vulnerability in the Drupal core versions starting from 8.9.0, specifically versions 10.x and 11.x. The vulnerability involves SQL injection in the Drupal’s database abstraction API. As a result, unauthorized malicious actors can execute arbitrary SQL injections on sites...

CVE-2026-44047 SQL injection in MySQL CNID backend

An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service...

WordPress Advanced Database Cleaner – Premium plugin <= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion vulnerability

Authenticated Subscriber+ Local File Inclusion vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin Advanced Database Cleaner – Premium versions = 4.1.0...

Exploit for CVE-2026-9082

CVE-2026-9082 Type: SQL Injection CWE-89 Affected Pr...

SUSE CVE-2026-47784

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by saslserveruserdbcheckpass...

[SECURITY] Fedora 43 Update: mysql8.0-8.0.46-1.fc43

MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon mysqld and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files...

[SECURITY] Fedora 44 Update: mysql8.0-8.0.46-1.fc44

MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon mysqld and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files...

[SECURITY] Fedora 44 Update: mysql8.4-8.4.9-1.fc44

MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon mysqld and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from the fact that the values of latitude, longitude, callsign, mph, altitude, and timestamp,...

PT-2026-45157

Name of the Vulnerable Software and Affected Versions Twig affected versions not specified Description The TwigProfilerDumperHtmlDumper component fails to escape the output of Profile::getTemplate and Profile::getName when writing to HTML. If an attacker can control the template name—which may...

PT-2026-42520

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials host, username, password, database name in import mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration value...

PT-2026-42598

Summary The fileID field from Manifest.db a SQLite database inside iOS backups, generated by the device is used directly in filesystem path construction without validation. This affects two commands through a shared code path: - mvt-ios decrypt-backup decrypt.py: file id is used to construct both...

WordPress plugin WP Directory Kit SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. The WordPre...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from the offset GET parameters in the ajax/sitincidents.php file being directly concatenated...

PT-2026-42519

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from multiple POST parameters in the dbloader.php file—ticketsdb, ticketshost, ticketsuser, a...

PT-2026-42663

Name of the Vulnerable Software and Affected Versions OpenMetadata versions prior to 1.12.4 Description A non-admin SSO user can trigger a TEST CONNECTION workflow for a Database Service and receive sensitive information in the HTTP 201 response of the 'POST /api/v1/automations/workflows' endpoin...