770 matches found
CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid
ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...
CVE-2026-26186 Fleet has a SQL injection via backtick escape in ORDER BY parameter
Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the orderkey query parameter. Due to unsafe use of goqu.I when constructing the ORDER BY clause, specially crafted input...
Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web API implementation, which listens on TCP po...
CVE-2026-1094
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI...
2026-02 .NET 10.0.3 Security Update for x86 Client (KB5077862)
2026-02 .NET 10.0.3 Security Update for x86 Client KB5077862...
Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS
Scrapy are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occur...
Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS
Scrapy are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occur...
CVE-2025-13375
IBM Common Cryptographic Architecture CCA 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system...
CVE-2025-13375
IBM Common Cryptographic Architecture (CCA) versions affected: 7.5.52 and 8.4.82. The Red Hat/IBM bulletin and NVD entries indicate an unauthenticated user could execute arbitrary commands with elevated privileges on systems running these CCA releases. Affected platforms include IBM AIX, IBM i, I...
CVE-2026-24762
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
CVE-2025-26385
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command Command Injection Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects Metasys: Application and Data Server ADS installed...
CGA-HP42-XC84-GHF7
Bulletin has no description...
CGA-83HM-F2HW-QMMG
Bulletin has no description...
A Systematic Literature Review on LLM Defenses against Prompt Injection and Jailbreaking: Expanding NIST Taxonomy
The rapid advancement and widespread adoption of generative artificial intelligence GenAI and large language models LLMs has been accompanied by the emergence of new security vulnerabilities and challenges, such as jailbreaking and other prompt injection attacks. These maliciously crafted inputs...
CVE-2026-0782
ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific fla...
EUVD-2026-4086
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through = 8.3.7...
PT-2026-3897
AP180 series with firmware versions prior to AP RGOS 11.94B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices...
VoidLink Linux Malware Framework Built with AI Assistance Reaches 88,000 Lines of Code
The recently discovered sophisticated Linux malware framework known as VoidLink is assessed to have been developed by a single person with assistance from an artificial intelligence AI model. That's according to new findings from Check Point Research, which identified operational security blunder...
CVE-2025-59960
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service jdhcpd of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service DoS on the downstream DHCP...
CVE-2026-22782
RustFS (RustFS) vulnerability CVE-2026-22782: an invalid RPC signature path in crates/ecstore/src/rpc/http_auth.rs logs the shared HMAC secret and the expected_signature for any invalidly signed request, exposing the secret to log readers and enabling forged RPC calls. Affected versions are 1.0.0...