CVE-2026-43215

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifstcpseslock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srvlock, seslock and tclock to protect fields within the...

CVE-2026-43215 cifs: Fix locking usage for tcon fields

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifstcpseslock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srvlock, seslock and tclock to protect fields within the...

CVE-2026-43215

The CVE-2026-43215 issue affects the Linux kernel CIFS implementation: the code used cifs_tcp_ses_lock to guard tcon fields, but this lock protected more than intended. The patch introduces more granular locking (tc_lock) within tcon-related structures (in addition to srv_lock and ses_lock) to re...

CVE-2026-43215

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifstcpseslock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srvlock, seslock and tclock to protect fields within the...

CVE-2026-43209

CVE-2026-43209 – minix filesystem sanity check in Linux kernel : The minix filesystem implementation lacked proper sanity checks in minix_check_superblock(), notably for s_log_zone_size, which the patch now enforces (only 0 is supported). The update also adds sanity checks for other superblock fi...

CVE-2026-43136 HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()

In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidppgetreportlength Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be...

CVE-2026-43136

The CVE-2026-43136 issue affects the Linux kernel HID subsystem (logitech-hidpp) where fake USB devices could craft HID report descriptors without valid fields, potentially crashing the kernel over USB. The root cause is a missing validation in hidpp_get_report_length() that allowed reports with ...

CVE-2026-43975 Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...

CVE-2026-7457

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters firstname, lastname, phone, notes bypass sanitizati...

EUVD-2026-27544

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters firstname, lastname, phone, notes bypass sanitizati...

PT-2026-37555

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the CIFS component where cifs tcp ses lock was used to protect various objects, including tcon fields, instead of using more granular locks. This caused unnecessary...

PT-2026-37476

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the hidpp get report length function within the logitech-hidpp module. The system fails to properly check the maxfield variable when a report contains no fields. This...

Linux Distros Unpatched Vulnerability : CVE-2026-43215

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - cifs: Fix locking usage for tcon fields We used to use the cifstcpseslock to protect a lot of objects that are not just the server, ses or tcon lists. We later...

CRLF Injection

Overview sse-channel is a Server-Sent Events "channel" where all messages are broadcasted to all connected clients, history is maintained automatically and server attempts to keep clients alive by sending "keep-alive" packets automatically. Affected versions of this package are vulnerable to CRLF...

NPM: sse-channel: SSE Injection via unsanitized event fields

NPM: sse-channel: SSE Injection via unsanitized event fields vulnerability discovered by ? in WordPress Npm sse-channel versions = 4.0.0...

GHSA-84HM-WFH8-C5PG sse-channel: SSE Injection via unsanitized event fields

Impact Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. - Event Spoofing: Attacker can inject arbitrary SSE events into the stream - Client-side...

sse-channel: SSE Injection via unsanitized event fields

Impact Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. - Event Spoofing: Attacker can inject arbitrary SSE events into the stream - Client-side...

Improper Input Validation

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Improper Input Validation via the register process. An attacker can gain unauthorized administrative privileges by submitting crafted groups o...

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of taxonomy field values in the admin panel, where user-supplied input is output using the |raw filt...

GHSA-C2Q3-P4JR-C55F Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary...