GHSA-72R4-9C5J-MJ57 pnpm: `patch-remove` could delete project-selected files outside the patches directory

Summary The patch-remove deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This patch validates the...

pnpm: `patch-remove` could delete project-selected files outside the patches directory

Summary The patch-remove deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This patch validates the...

GHSA-FR4H-3CPH-29XV pnpm: Hoisted install imports lockfile alias outside node_modules

Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases suc...

pnpm: Hoisted install imports lockfile alias outside node_modules

Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases suc...

PT-2026-53064

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user ca...

EulerOS 2.0 SP15 : openssl (EulerOS-SA-2026-2497)

According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Issue summary: Applications using RSASVE key encapsulation to establishx000D a secret encryption key can send contents of an uninitialized memory...

EulerOS 2.0 SP15 : openssl (EulerOS-SA-2026-2456)

According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Issue summary: Applications using RSASVE key encapsulation to establishx000D a secret encryption key can send contents of an uninitialized memory...

Debian dla-4654 : chromium - security update

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4654 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4654-1 [email protected]...

EulerOS 2.0 SP15 : systemd (EulerOS-SA-2026-2469)

According to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.CVE-2026-40226 A flaw was...

EulerOS 2.0 SP15 : systemd (EulerOS-SA-2026-2510)

According to the versions of the systemd packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.CVE-2026-40226 A flaw was...

NewStart CGSL MAIN 6.06 : libreswan Multiple Vulnerabilities (NS-SA-2025-0243)

The remote NewStart CGSL host, running version MAIN 6.06, has libreswan packages installed that are affected by multiple vulnerabilities: - pluto in Libreswan before 4.11 allows a denial of service responder SPI mishandling and daemon crash via unauthenticated IKEv1 Aggressive Mode packets. The...

PT-2026-53053

The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

PT-2026-53056

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-53041

The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-53040

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'queryselect' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

PT-2026-53050

The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

PT-2026-53048

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the invoke methods of the...

PT-2026-53058

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

PT-2026-53049

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode...

PT-2026-53038

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu title' and 'menu magnifier color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for...