CVE-2026-56384

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...

Linux Distros Unpatched Vulnerability : CVE-2026-52909

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ip6vti: set netnsimmutable on the fallback device. john1988 and Noam Rathaus reported that vti6initnet does not set the netnsimmutable flag on the per-netns...

EUVD-2026-38033

In the Linux kernel, the following vulnerability has been resolved: ip6vti: set netnsimmutable on the fallback device. john1988 and Noam Rathaus reported that vti6initnet does not set the netnsimmutable flag on the per-netns fallback tunnel device ip6vti0. Other similar tunnel drivers like...

CVE-2026-52909

The CVE-2026-5299x family concerns the Linux kernel IPv6 virtual tunnel interfaces. The issue: in vti6_init_net(), the per-netns fallback tunnel device (ip6_vti0) does not set the netns_immutable flag, allowing the device to be moved between network namespaces. This flag is correctly set by other...

Astra Linux – Vulnerability in libde265

Libde265 v1.0.4 contains a heap buffer overflow in the putweightedbipred16fallback function, which can be exploited through a specially crafted file...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: mptcp: Race conditions between subflow failures and additional subflow creations. We have race conditions similar to those addressed by the previous patch, between subflow failures and additional subflow creations. However, these...

Astra Linux – Vulnerability in libde265

Libde265 v1.0.4 contains a heap buffer overflow in the putqpel00fallback16 function, which can be exploited through a specially crafted file...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: Fixed page mapping issues when vmareaallocpages uses high-order allocation modes with an order of 0 as the default. The vmappagesrangenoflush function assumes that the pages argument contains pages with the same page...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: nilfs2: Do not force clear the buffer if it is referenced. The patch series “nilfs2: Protect busy buffer heads from being forced to be cleared” addresses this issue. This patch fixes the inconsistency in buffer head states report...

Astra Linux – Vulnerability in libde265

It was discovered that Libde265 v1.0.8 contains a heap-buffer-overflow vulnerability through the use of putunweightedpred16fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service DoS attack using a specially crafted video file...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: mptcp: The “kern” flag was removed from fallback sockets. The mptcp ULP extension relies on ensuring that sk-sksockkern is set correctly. This prevents the call to setsockoptfd, IPPROTOTCP, TCPULP, "mptcp", 6 from working for pla...

Deno: Miller-Rabin Primality Test Allows Zero Rounds

Summary node:crypto.checkPrimecandidate, options, callback and crypto.checkPrimeSynccandidate, options ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied to the candidate was trial division by the primes up to 17,863. Any...

MAL-2026-5859 Malicious code in setka-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069 package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install...

CVE-2026-8385 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title,...

CVE-2026-8385 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title,...

Fedora 44 : composer (2026-9b34a78e81)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9b34a78e81 advisory. Version 2.10.1 - 2026-06-04 Security: Fixed shell escaping when opening an editor 12903 Security: Verify backup phar signature before restoring it when using...

EUVD-2026-35403

TYPO3 CMS has Broken Access Control in its Media Module...

GHSA-CHM7-4VCH-H8VR TYPO3 CMS has Broken Access Control in its Media Module

Problem Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer FAL via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files...

TYPO3 CMS has Broken Access Control in its Media Module

Problem Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer FAL via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files...

Malicious code in theta-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...