CVE-2026-42202 nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint POST/nova-vendor/nova-toggle/toggle/resource/resourceId was protected only by web + auth: middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes...

NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized event and id fields vulnerability discovered by ? in WordPress Npm eventsource-encoder versions = 1.0.1...

HTTP Response Splitting

Overview eventsource-encoder is an Encodes events as well-formed EventSource/Server Sent Event SSE messages Affected versions of this package are vulnerable to HTTP Response Splitting via unsanitized event and id fields in the encoding process. An attacker can inject arbitrary Server-Sent Events...

eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...

GHSA-M9G3-3G99-MHPX eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...

EUVD-2026-28743

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in sndpcmdrain In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime runtime = s-runtime at line 2157. After releasing the stream lock at...

UBUNTU-CVE-2026-43437

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in sndpcmdrain In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime runtime = s-runtime at line 2157. After releasing the stream lock at...

CVE-2026-43437

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in sndpcmdrain In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime runtime = s-runtime at line 2157. After releasing the stream lock at...

CVE-2026-43437

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in sndpcmdrain In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime runtime = s-runtime at line 2157. After releasing the stream lock at...

CVE-2026-43437

CVE-2026-43437 affects the Linux kernel ALSA PCM subsystem (snd_pcm_drain). The issue is a use-after-free in the drain path: during drain, runtime is reassigned to a linked stream’s runtime and after releasing the stream lock, runtime fields (no_period_wakeup, rate, buffer_size) are accessed with...

CVE-2026-43437 ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in sndpcmdrain In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime runtime = s-runtime at line 2157. After releasing the stream lock at...

SUSE CVE-2026-41674

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...

Dolibarr 注入漏洞

Dolibarr is an open-source application developed by Dolibarr developers. It helps manage activities of user organizations. Dolibarr versions 22.0.2 and earlier had a vulnerability due to a problem with remote code execution in the authentication process for additional user fields. The computed...

Thruk Monitoring 跨站脚本漏洞

Thruk Monitoring is an open-source visualization interface developed by Thruk, designed for centrally displaying and managing system monitoring data. Versions of Thruk Monitoring prior to 2.46.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the login fields in th...

PT-2026-39098

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A use-after-free issue exists in the ALSA pcm component within the snd pcm drain function. In the drain loop, the runtime variable is reassigned to a linked stream's runtime. After the...

Laravel Nova 5 Toggle Field 授权问题漏洞

Laravel Nova 5 Toggle Field is a tool developed by Almir Hodzic for quickly toggling boolean values in Laravel Nova 5. Versions of Laravel Nova 5 Toggle Field prior to 1.3.0 had an authorization vulnerability. This vulnerability stemmed from the fact that the endpoint was only protected by web an...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the USB Yurex driver’s detection process. During this process, the BBU members are not set to an...

Linux Distros Unpatched Vulnerability : CVE-2026-43437

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ALSA: pcm: fix use-after-free on linked stream runtime in sndpcmdrain In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime...

PT-2026-39114

Name of the Vulnerable Software and Affected Versions Linux kernel versions 5.10 through 6.19 Description A stack out-of-bounds read exists in the nftables pipapo set backend within the pipapo drop function. The issue occurs because the function passes rulemapi + 1.n to pipapo unmap as the to...

CVE-2026-41674

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...