CVE-2026-26974

Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports /.plugin.js,mjs files including those from nodemodules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects...

CVE-2026-27134 Strimzi: All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user autentication

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted...

Security Bulletin: IBM Aspera faspio Gateway 1.3.7 has addressed a vulnerability affected by weak cryptographic algorithms

Summary Aspera faspio Gateway uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information Vulnerability Details CVEID:CVE-2025-14480 DESCRIPTION: Aspera faspio Gateway uses weaker than expected cryptographic algorithms that could allow an...

CVE-2026-27119

CVE-2026-27119 affects the Svelte framework’s server-side rendering output for the element, where content may not be properly escaped in certain conditions (versions 5.39.3 through 5.51.4). This can lead to HTML injection in SSR output, while client-side rendering remains unaffected. The vulnera...

CVE-2026-25474

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...

CVE-2026-24764 OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions

OpenClaw formerly Clawdbot is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata topic/description can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven...

PT-2026-21344

Name of the Vulnerable Software and Affected Versions Formwork versions 2.0.0 through 2.3.3 Description Formwork is a flat file-based Content Management System CMS. The application does not properly enforce role-based authorization during account creation. Specifically, it does not verify if the...

Debian dsa-6143 : libvpx-dev - security update

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6143 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6143-1 [email protected] https://www.debian.org/security/...

pypdf possibly has long runtimes for malformed FlateDecode streams

Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. Patches This has been fixed in pypdf==6.7.1. Workarounds If you cannot upgrade yet, consider applying the chang...

PT-2026-20273

Name of the Vulnerable Software and Affected Versions URL Shortify plugin for WordPress versions prior to 1.12.2 Description The URL Shortify plugin for WordPress is susceptible to an Open Redirect issue in all versions up to and including 1.12.1. This is due to inadequate validation of the...

Nextcloud Talk allowlist bypass via actor.name display name spoofing

Summary In affected versions of the optional Nextcloud Talk plugin installed separately; not bundled with the core OpenClaw install, an untrusted webhook field actor.name, display name could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an...

PT-2026-20276

Name of the Vulnerable Software and Affected Versions Tanium Enforce Recovery Key Portal affected versions not specified Description An insecure file permissions issue exists in Tanium Enforce Recovery Key Portal. The vulnerability involves incorrect file permissions that could potentially be...

PT-2026-8094

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. affected versions not specified Description The reported issue has been marked as rejected by NIST in the official CVE List, indicating it is not a valid or recognized vulnerability. No search results fro...

CVE-2026-26012

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible t...

Pillow affected by out-of-bounds write when loading PSD images

Impact An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow = 10.3.0 users are affected. Patches Pillow 12.1.1 will be released shortly with a fix for this. Workarounds Image.open has a formats parameter that can be used to prevent PSD images from being opene...

CVE-2025-57713

A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later...

CVE-2025-48723 Qsync Central

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 2026/01/20 and...

CVE-2025-59386

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

CVE-2025-66274 QuTS hero

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

PT-2026-7561

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of...