18 matches found
CVE-2026-9136
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
CVE-2026-7459
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated Subscriber+ account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints reacttoevent / unreacttoevent. The endpoints register getitemspermissionschec...
CVE-2026-7459
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated Subscriber+ account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints reacttoevent / unreacttoevent. The endpoints register getitemspermissionschec...
CVE-2026-9136
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
EUVD-2026-31151
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
CVE-2026-32899
OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction and pin non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from...
PT-2026-26748
OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction and pin non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from...
GHSA-V8CG-4474-49V8 OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
Summary Slack member and message subtype system events messagechanged, messagedeleted, threadbroadcast were not consistently enforcing sender authorization before enqueueing system events. Affected Packages / Versions - Package: openclaw npm - Latest published version: 2026.2.25 - Affected range:...
Azure Linux 3.0 Security Update: kernel (CVE-2025-37878)
The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-37878 advisory. - In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARNON!ctx in freeevent f...
EUVD-2025-14112
Malicious code in bioql PyPI...
Astra Linux – Vulnerability in Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fixed the WARNON!ctx message in freeevent for partial initialization. The call to getctxchildctx and the assignment of childevent-ctx are now performed immediately after the childevent is allocated. Ensure that...
Astra Linux – Vulnerability in Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: perf/core: The order of the PMU list needs to be adjusted to fix a warning regarding an unordered pmuctxlist. The Syskaller trigger a warning because prevepc-pmu does not equal nextepc-pmu in perfeventswaptaskctxdata. vmcore...
DEBIAN-CVE-2025-37878
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARNON!ctx in freeevent for partial init Move the getctxchildctx call and the childevent-ctx assignment to occur immediately after the child event is allocated. Ensure that childevent-ctx is non-NULL before any...
AZL-70150 CVE-2025-37878 affecting package kernel 5.15.200.1-1
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARNON!ctx in freeevent for partial init Move the getctxchildctx call and the childevent-ctx assignment to occur immediately after the child event is allocated. Ensure that childevent-ctx is non-NULL before any...
UBUNTU-CVE-2025-37878
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARNON!ctx in freeevent for partial init Move the getctxchildctx call and the childevent-ctx assignment to occur immediately after the child event is allocated. Ensure that childevent-ctx is non-NULL before any...
CVE-2025-37878 perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix WARNON!ctx in freeevent for partial init Move the getctxchildctx call and the childevent-ctx assignment to occur immediately after the child event is allocated. Ensure that childevent-ctx is non-NULL before any...
WordPress Activity Log – Monitor & Record User Changes plugin <= 2.11.1 - Unauthenticated Stored Cross-Site Scripting via Event Context vulnerability
Unauthenticated Stored Cross-Site Scripting via Event Context vulnerability discovered by mikemyers in WordPress Plugin Activity Log versions = 2.11.1...
Google Chrome DOM Memory Misreference Code Execution Vulnerability
Google Chrome is a popular WEB browser. A memory misreference vulnerability in Google Chrome DOM real core/events/TreeScopeEventContext.cpp allows attackers to construct a malicious WEB page and trick users into parsing it, which could crash the application or execute arbitrary code...