Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: undertow (UTSA-2026-021479)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021479 advisory. A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames can cause an OutOfMemoryError when the client sends a reque...

CVE-2025-56352

CVE-2025-56352 affects the tinyMQTT broker. When processing a CONNECT packet with a zero-length Client ID and CleanSession=0, the broker returns CONNACK 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection, leaving the socket open. Repeated invalid CONNECT attempts can exha...

PT-2026-41686

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A malicious input file can cause an out-of-bounds read of a single byte when writing an IPTC output file. An out-of-bounds read occurs when a program reads data...

Alibaba Cloud Linux 3 : 0113: python3 (ALINUX3-SA-2026:0113)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0113 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-4786: Mitgation ofCVE-2026-4519 w...

CVE-2026-8769

CVE-2026-8769 affects vercel ai up to 3.0.97, specifically the provider-utils file response-handler.ts (functions createJsonResponseHandler and createJsonErrorResponseHandler). The issue enables resource consumption that can be triggered remotely; exploit publicly disclosed. Details on affected v...

[SECURITY] [DSA 6279-1] redis security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6279-1 [email protected] https://www.debian.org/security/ Aron Xu May 17, 2026 https://www.debian.org/security/faq - -------------------------------------------------------------------------...

CVE-2026-8738

Sanluan PublicCMS 5.202506.d contains a vulnerability affecting the Trade payment flow. Specifically, the methods TradeOrderController.pay, TradePaymentController.pay, and AccountGatewayComponent.pay in the publiccms-trade module are affected, with the root cause described as a business logic man...

PublicCMS 安全漏洞

PublicCMS is an open-source content management system CMS developed in Java by PublicCMS Company in China. Version Sanluan PublicCMS 5.202506.d contains a security vulnerability. This vulnerability stems from a business logic error in the...

PT-2026-41524

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the...

Debian dsa-6279 : redis - security update

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6279 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6279-1 [email protected]...

CVE-2026-8723

Summary qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options skipNulls, strictNullHandling. Details In the comma + encodeValuesOnly...

CVE-2026-8723

Summary qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options skipNulls, strictNullHandling. Details In the comma + encodeValuesOnly...

Sensitive Information Exposure

com.ritense.valtimo, web is vulnerable to sensitive information exposure. The vulnerability is due to the LoggingRestClientCustomizer automatically logging full HTTP request and response details, including headers and bodies, in error messages, which allows an attacker to access sensitive...

SUSE CVE-2026-41181

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...

PT-2026-41469

Name of the Vulnerable Software and Affected Versions qs versions 6.11.1 through 6.15.1 Description The stringify function throws a TypeError when called with the options arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined elements. This occurs because the...

CVE-2026-45316 Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the POST /api/v1/notes/id/pin endpoint performs a write operation toggling the ispinned field but only checks for read permission. Users with read-only access to a shared note can...

CVE-2026-44568

Summary: Open WebUI before v0.9.0 has a Stored XSS in the Pending User Overlay content. The vulnerability stems from rendering the admin-configured Pending User Overlay Content via marked.parse() inside {@html} with DOMPurify applied before markdown parsing, allowing an admin to inject JavaScript...

CVE-2026-45622

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting XSS issue in the public product return form in Vvveb CMS. The customerorderid POST parameter is inserted into the...

EUVD-2026-30583

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting XSS issue in the public product return form in Vvveb CMS. The customerorderid POST parameter is inserted into the...

CVE-2026-26332

A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to escape the sandbox environment by exploiting the SuppressedError mechanism. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and...