CVE-2026-41401

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lydparsersetdataflags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata...

Malicious code in aonote (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df30872a579b6ce2419993ff9bad621f42347097dd43551a26583223e6a98a7b package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976KB UPX-packed Linux x86-64 ELF sha256 36abd242... shipped ...

PT-2026-43252

Name of the Vulnerable Software and Affected Versions libyang versions prior to 5.2.6 Description A heap use-after-free write occurs in the lyd parser set data flags function. This happens when the software incorrectly updates metadata list pointers while freeing non-head default metadata entries...

epa4all-client 数据伪造问题漏洞

epa4all-client is an open-source document writing client tool developed by Oviva AG. Versions of epa4all-client prior to version 1.2.2 contained a data manipulation vulnerability. This vulnerability arises from the possibility for a man-in-the-middle attacker to replace the discovered documents...

HP LaserJet Printers Exposure of Sensitive Information to an Unauthorized Actor (CVE-2013-4829)

HP LaserJet M4555, M525, and M725; LaserJet flow MFP M525c; LaserJet Enterprise color flow MFP M575c; Color LaserJet CM4540, M575, and M775; and ScanJet Enterprise 8500fn1 FutureSmart devices allow local users to read images of arbitrary scanned documents via unspecified vectors. This plugin only...

XML External Entity (XXE) Injection

Overview tpwd/kesearch is a search extension for TYPO3, including faceting search functions. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the OOXML parsing of the file indexer, external entity resolution is not disabled. A crafted XLSX or PPTX document...

EUVD-2026-31454

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : Devolutions Server 2026.1.6.0...

CVE-2026-9248

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : Devolutions Server 2026.1.6.0...

MAL-2026-4474 Malicious code in acc-document-editing (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c82ee7b879d66ba2fb79ec7ad7fee47623c2c3b68c8a925510b1f42cd1e3456 The DocumentEditor React component exported by this package, when an end-user opens a.doc file, POSTs the raw file bytes to...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6.0 to 2026.1.16.0, as well as versions prior to 2025.3.20.0, have security...

PT-2026-42794

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : Devolutions Server 2026.1.6.0...

CVE-2026-33137

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/wikiName API executes a XAR import without...

CVE-2026-33137 XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/wikiName API executes a XAR import without...

CVE-2026-33137

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/wikiName API executes a XAR import without...

UBUNTU-CVE-2026-9100

The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash via a division-by-zero or silently leak process memo...

Astra Linux - уязвимость в pypdf2

pypdf is a pure-Python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who exploits this vulnerability can create a PDF that results in unexpected long execution times. This quadratic execution time blocks the current process and can even...

Astra Linux - уязвимость в cups

An authentication issue has been resolved through improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, and macOS Ventura 13.4. Unauthenticated users may be able to access recently printed documents...

CVE-2026-39309

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

CVE-2026-39309 Trilium Notes: macOS TCC Bypass via Prompt Spoofing

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

CVE-2026-33741 EspoCRM: Stored XSS via SVG attachment loading same-origin JavaScript

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry...