PT-2026-33006

Name of the Vulnerable Software and Affected Versions XQUIC versions prior to 1.8.3 Description Improper input validation and improper verification of cryptographic signatures in the QUIC protocol implementation, specifically within the packet processing module and STREAM frame handler modules,...

Notepad++ <= 8.9.3 Stack-based Buffer Overflow (CVE-2026-5525)

The version of Notepad++ installed on the remote host is 8.9.3 or earlier. It is, therefore, affected by a stack-based buffer overflow vulnerability: - A stack-based buffer overflow exists in the file drop handler component WMDROPFILES. When a user drags and drops a directory path of exactly 259...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : libssh (SUSE-SU-2026:1310-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1310-1 advisory. - CVE-2026-3731: Denial of Service via out-of-bounds read in SFTP extension name handler bsc1259377...

Improper Authentication

Overview github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs. Affected versions of this package are vulnerable to Improper Authentication via the PutObjectHandler and PutObjectPartHandler function. An attacker can gain unauthorized write access to...

GHSA-C29W-QQ4M-2GCV goshs has an empty-username SFTP password authentication bypass

Summary goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network...

CVE-2026-6015

A vulnerability has been found in Tenda AC9 15.03.02.13. Impacted is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. Such manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely...

CVE-2026-5993

A vulnerability was identified in Totolink A7100RU 7.4cu.2313b20191024. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wifiOff leads to os command injection. The attack can be executed...

io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response...

io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in select-organization.ftl - shown on the organization selection login page - since the organization.alias value is inserted into an inline JavaScript onclick handler. A user with manage-realm or...

EUVD-2026-22294

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting XSS vulnerability. This flaw occurs because the organization.alias is placed into an...

CVE-2026-37980

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting XSS vulnerability. This flaw occurs because the organization.alias is placed into an...

Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.3 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...

SUSE-SU-2026:1310-1 Security update for libssh

This update for libssh fixes the following issues: - CVE-2026-3731: Denial of Service via out-of-bounds read in SFTP extension name handler bsc1259377...

CVE-2026-5996

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ttyserver leads to os command injection. It is possible to...

CVE-2026-5976

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313b20191024. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sambaEnabled results in os command injection. It is possible to initiate th...

CVE-2026-5971

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xmlfill of the file metagpt/actions/actionnode.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated cod...

GHSA-3JP4-MHH4-GCGR Kimai has an Open Redirect via Unvalidated RelayState in SAML ACS Handler

Summary The SAML authentication success handler in Kimai returns the RelayState POST parameter as a redirect destination without validating the host or scheme. After a user successfully authenticates via SAML, they are redirected to an attacker-controlled URL if the IdP includes a malicious...

CVE-2026-0512 Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)

Due to a Cross-Site Scripting XSS vulnerability in the SAP Supplier Relationship Management SICF Handler in SRM Catalog, an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow t...

Missing Authentication for Critical Function

Overview github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the PutObjectExtractHandler, PutObjectHandler, and PutObjectPartHandler function. An...