CVE-2026-53899

CVE-2026-53899 affects Firefox for iOS. The issue arises from partial domain matching when attaching cookies to PDF requests, enabling a malicious site on a suffix domain to receive cookies belonging to the target site. The root cause is tied to how cookies were matched during PDF handling, leadi...

CVE-2026-40597 MantisBT has a Content Security Policy bypass via attachments

Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via th...

PT-2026-23725

Name of the Vulnerable Software and Affected Versions Zarf versions 0.54.0 through 0.73.0 Description Zarf, an Airgap Native Packager Manager for Kubernetes, contains a path traversal flaw in its archive extraction process. A specially designed Zarf package can create symbolic links that point to...

CVE-2025-9292

CVE-2025-9292 affects TP-Link Omada Cloud Controller. A permissive web security configuration may bypass cross-origin restrictions in certain conditions, enabling potential unauthorized disclosure of sensitive data. Exploitation requires an existing client-side injection vulnerability and access ...

CVE-2025-48725

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QuTS hero...

Security Bulletin: Vulnerabilities in Netty affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability in Netty has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-25193 DESCRIPTION: Netty, an...

CVE-2025-53590

CVE-2025-53590 is a NULL pointer dereference vulnerability affecting QNAP QTS/QuTS hero operating systems. A remote attacker who has an administrator account can exploit this to cause a denial-of-service. The issue impacts several QNAP OS versions, with remediation implemented in QTS 5.2.7.3256 b...

PT-2025-50504

Name of the Vulnerable Software and Affected Versions WBCE CMS versions prior to 1.6.5 Description WBCE CMS is a content management system. Versions 1.6.4 and below contain a flaw in the user management module that allows a low-privileged authenticated user with user modification permissions to...

CVE-2025-66548 Nextcloud Deck app allows to spoof file extensions by using RTLO characters

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension th...

EUVD-2025-38277

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We ha...

CVE-2025-31268

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.8, macOS Sequoia 15.7. An app may be able to access protected user data...

USN-7536-2 cifs-utils regression

USN-7536-1 fixed vulnerabilities in cifs-utils. This update introduced a regression in certain environments. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that cifs-utils incorrectly handled namespaces when obtaining Kerberos...

CVE-2016-8855

Cross-Site Scripting XSS in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev. 160519 8.1 Update-3 allows remote attacks via the Name or Description parameter. This is fixed in 8.2 Update-2...