ROOT-OS-UBUNTU-2404-CVE-2026-23141 CVE-2026-23141 in rootio-linux - Patched by Root

Root has patched CVE-2026-23141 in the rootio-linux package for Root:Ubuntu:24.04. Multiple fixed versions available...

ROOT-OS-UBUNTU-2204-CVE-2026-46064 CVE-2026-46064 in rootio-linux - Patched by Root

Root has patched CVE-2026-46064 in the rootio-linux package for Root:Ubuntu:22.04. Multiple fixed versions available...

CVE-2026-49433

The DeepAI endpoint 'https://api.deepai.org/changeuseremail' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

CVE-2026-42878

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PH...

CVE-2026-7766

Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server. The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-G2 cameras. Rest of the produc...

OPENSUSE-SU-2026:20709-1 Security update for tor

This update for tor fixes the following issues: Changes in tor: - Update to 0.4.9.8 Fix out-of-bounds read boo1264341, CVE-2026-44597, TROVE-2026-011 Do not attempt or accept BEGINDIR via conflux legs boo1264342, CVE-2026-44599,TROVE-2026-008 Adjust conflux out-of-order queue accounting when...

Fedora 42 : buildah / podman / skopeo (2026-156e6bfb27)

The remote Fedora 42 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-156e6bfb27 advisory. Automatic update for buildah-1.43.1-1.fc42, skopeo-1.22.2-1.fc42, podman-5.8.2-1.fc42. Changelog for buildah Wed Apr 08 2026 Packit - 2:1.43.1-1 - Update to...

Oracle Linux 10 : pcs (ELSA-2026-10713)

The remote Oracle Linux 10 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-10713 advisory. 0.12.1-1.el101.3 - Fixed CVE-2026-4800 by updating HA Cluster Management add-on to 0.1.23.2 Resolves: RHEL-164062 Tenable has extracted the preceding...

CVE-2026-40874

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...

EUVD-2026-24262

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw $SERVER'REQUESTURI' to Twig as a global template variable and renders it inside a JavaScript string literal in the setLang helper of base.twig,...

CVE-2026-40874

CVE-2026-40874 affects mailcow: dockerized. Prior to 2026-03b, there was no administrator verification for deleting Forwarding Hosts via /api/v1/delete/fwdhost, allowing any authenticated user to call the API. Deletion could significantly disrupt mail service, while checks existed only for edit/a...

CVE-2026-40872 mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value logged as the "user" field without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted...

EUVD-2026-19422

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download...

CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

CVE-2026-26331 yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's --netrc-cmd command-line option or netrccmd Python API parameter is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously...

CVE-2026-26325 OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between rawCommand and command in the node host system.run handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node...