CLSA-2026-1778843906 nginx: Fix of CVE-2026-42945

CVE-2026-42945: fix heap buffer overflow in ngxhttprewritemodule when an unnamed PCRE capture group with '?' in the replacement is followed by another rewrite, if, or set directive; clear stale isargs flag in regex end code to prevent buffer overrun and possible worker crash or code execution...

CVE-2026-1514

Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents...

CVE-2026-1514

Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents...

CVE-2026-1514 2100 Technology｜Official Document Management System - Incorrect Authorization

Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents...

WordPress plugin Document Pro Elementor 信息泄露漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. WordPress plugin Document Pro Elementor has an information disclosure vulnerability, the...

CyberTutor New Site Server 安全漏洞

CyberTutor New Site Server is a website builder system from CyberTutor, a Taiwan, China-based company. A security vulnerability exists in CyberTutor New Site Server that stems from the use of client-side authentication, which could allow an unauthenticated remote attacker to modify the front-end...

Annotation tool: token forgery using jwt secret to claim super admin role

Although the annotator tool's source code is not directly provided in the repository a docker image is provided. From there it is easy to get access to the source code by either extracting the docker tar image, which can be exported from docker itself, or connecting to the container with an...

Design/Logic Flaw

Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule...

GHSA-65M9-M259-7JQW Improper Authorization in react-oauth-flow

All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. Recommendation No fix ...

Improper Authorization

Overview All versions of react-oauth-flow fail to properly implement the OAuth protocol. The package stores secrets in the front-end code. Instead of using a public OAuth client, it uses a confidential client on the browser. This may allow attackers to compromise server credentials. Recommendatio...

ExpressionEngine: Full path + some back-end code disclosure

Hello, Ironically enough, I just discovered a full path disclosure issue. When an admin edits their personal information, a request like the following gets sent: POST /ee/admin.php?/cp/members/profile/settings&id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:45.0...

kernel: proc: protect mm start_code/end_code in /proc/pid/stat

The dotaskstat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the startcode and endcode fields in the /proc//stat file for a process executing a PIE...

kernel: proc: protect mm start_code/end_code in /proc/pid/stat

The dotaskstat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the startcode and endcode fields in the /proc//stat file for a process executing a PIE...