CVE-2026-40326 Masa CMS CSRF in site bundle creation allows unauthorized site data export

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in csettings.cfc does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in...

wger: CSV/TSV formula injection in gym member export (first_name/last_name)

Summary The gym member TSV export endpoint in wger writes firstname and lastname profile fields verbatim to TSV cells with no formula-prefix sanitization. Any gym member including newly self-registered users can pre-load a spreadsheet formula into their own profile. When a gym admin later exports...

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection via the export function. An attacker can execute arbitrary spreadsheet formulas in the context of an administrator's local machine by injecting formula payloads into profile fields, which are then exported and opened in...

GHSA-XQ9M-HMP9-FW87 wger: CSV/TSV formula injection in gym member export (first_name/last_name)

Summary The gym member TSV export endpoint in wger writes firstname and lastname profile fields verbatim to TSV cells with no formula-prefix sanitization. Any gym member including newly self-registered users can pre-load a spreadsheet formula into their own profile. When a gym admin later exports...

Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates

Summary Kimai's Twig sandbox StrictPolicy, used for admin-uploaded invoice and export templates allow-lists the config Twig function with no key filtering. configname delegates to App\Configuration\SystemConfiguration::find$name, which returns arbitrary entries from the flattened kimai.config...

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure via the config function. An attacker can access sensitive server-wide secrets, such as LDAP bind passwords and SAML private keys, by uploading a malicious template and causing it to be rendered by another...

EUVD-2026-27743

In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the pare...

CVE-2026-43088

In the Linux kernel, the following vulnerability has been resolved: net: afkey: zero aligned sockaddr tail in PFKEY exports PFKEY export paths use pfkeysockaddrsize when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, pfkeysockaddrfill initializes only th...

CVE-2026-43088 net: af_key: zero aligned sockaddr tail in PF_KEY exports

In the Linux kernel, the following vulnerability has been resolved: net: afkey: zero aligned sockaddr tail in PFKEY exports PFKEY export paths use pfkeysockaddrsize when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, pfkeysockaddrfill initializes only th...

CVE-2026-43088

CVE-2026-43088 (Linux kernel) affects PF_KEY export paths in the net: af_key code, where IPv6 sockaddr payloads were not fully initialized in certain export messages (SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, SADB_X_MIGRATE). The issue arises because pfkey_sockaddr_size() reserves 32 bytes for IPv6...

CVE-2026-5753

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmveSchedulesController::save' handler for 'adminpostai1wmscheduleeventsave' not verifying user capabilities before saving...

PT-2026-37398

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the PF KEY export paths where pfkey sockaddr size is used to reserve sockaddr payload space, resulting in IPv6 addresses occupying 32 bytes. However, the pfkey sockadd...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the fact that the last four bytes of the sockaddrin6 structure in the PFKEY export path are not...

PT-2026-37342

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve Schedules Controller::save' handler for 'admin post ai1wm schedule event save' not verifying user capabilities before...

PT-2026-38267

A reflected XSS vulnerability was found under admin panel - System - Import/Export - Dataflow - Profiles. Steps to produce + Login to the admin panel + Go to the path System - Import/Export - Dataflow - Profiles + Select profile direction as Import. + Click on Import Customers + Upload the file...

Linux Distros Unpatched Vulnerability : CVE-2026-43088

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - net: afkey: zero aligned sockaddr tail in PFKEY exports PFKEY export paths use pfkeysockaddrsize when reserving sockaddr payload space, so IPv6 addresses occupy...

Kimai vulnerable to formula Injection via tag names in XLSX export

Summary Any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joins tag names with implode and returns the result unchanged. OpenSpout promotes any...

GHSA-3XC2-H5R3-WV3R Kimai vulnerable to formula Injection via tag names in XLSX export

Summary Any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joins tag names with implode and returns the result unchanged. OpenSpout promotes any...

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection via the XLSX export process. An attacker can execute arbitrary formulas on the system of a user who opens the exported file by creating a tag with a formula string as its name and assigning it to a timesheet, which is then...

wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured

Description Impact wireshark-mcp exposes a wiresharkexportobjects MCP tool that accepts an attacker-controlled destdir parameter and passes it to tshark's --export-objects flag with no mandatory path restriction. The path sandbox alloweddirs is None by default and only activates when the...