Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v4: Do not allow a VMOVP operation on a VPE that is already being unmapped. Kunkun Jiang reported that there is a small window of opportunity for userspace to force a change in the affinity of a VPE while the VPE has...

PT-2026-50801

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.4 Description Missing authorization in the public API allows users to bypass role permission checks. The system only verifies a shared API key header via the hasValidToken function instead of validating individua...

CVE-2026-46855

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager component: Metadata Plugin. Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle...

EUVD-2025-210166

Unauthenticated Broken Access Control in WP Event SOlution = 4.1.12 versions...

NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases vulnerability discovered by ? in WordPress Npm js-yaml versions = 4.1.1...

PT-2026-48851

A further incomplete fix for a previous advisory CVE-2026-44417 Untrusted JMS configuration can lead to RCE for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions...

DEBIAN-CVE-2026-46373

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any...

CVE-2026-46340 vulnerabilities

Vulnerabilities for packages: apache-hop-fips, celeborn, management-api-for-apache-cassandra-4.0, trino, management-api-for-apache-cassandra-4.1, management-api-for-apache-cassandra-5.0, pinot-fips, seata, thingsboard, pinot, tez, apache-hop...

EUVD-2026-34947

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP...

Untrusted Search Path

Overview software.amazon.jdbc:aws-advanced-jdbc-wrapper is an Amazon Web Services AWS Advanced JDBC Wrapper Affected versions of this package are vulnerable to Untrusted Search Path in the GlobalAuroraPgDialect, which is included in the public schema. A low-privileged user can elevate privileges ...

CVE-2026-11400

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rdssuperuser, via a crafted function created by the...

CVE-2026-5840

A security flaw has been discovered in PHPGurukul News Portal Project 4.1. Impacted is an unknown function of the file /admin/checkavailability.php. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit has been...

CVE-2026-34279

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager component: Event Management. Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle...

CVE-2026-11400

CVE-2026-11400 describes an untrusted search path vulnerability in the GlobalDatabasePlugin of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL. A remote authenticated low-privilege actor can escalate privileges to another Amazon RDS user, including rds_superuser, by creating a crafted ...

CVE-2026-49782

Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0...

PT-2026-45758

Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0...

CVE-2026-8873

The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...

CVE-2026-49009

Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal...

Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in Hackney versions 0 through prior to 4.0.1, which stems from a URL query component that does not percentile encode CRLF characters, potentially resulting in HTTP request splitting...

org.glassfish.main.admingui:admingui (>=7.0.0 <=9.0.0-M1), org.glassfish.main.admingui:console-cluster-plugin (>=7.0.0 <=9.0.0-M1) +19 more potentially affected by CVE-2026-2586 via org.glassfish.jsftemplating:jsftemplating (>=4.0.0 <=4.1.0)

org.glassfish.jsftemplating:jsftemplating MAVEN version =4.0.0, =7.0.0, =7.0.0, =7.0.16, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =9.0.0-M1 and more Source cves: CVE-2026-2586 Source advisory: SNYK:JAVA-ORGGLASSFISHJSFTEMPLATING-167906...