PYSEC-2026-171

Apache Airflow's JWTRefreshMiddleware set the JWT auth cookie without the Secure flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default...

CVE-2026-42253

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

CVE-2026-10517

The CVE describes a flaw in Clair’s fetcher where it makes outbound HTTP requests to attacker-supplied URIs taken from manifest layer descriptors without filtering IPs or schemes. If PSK authentication is not configured, an unauthenticated attacker can submit a manifest pointing to internal servi...

CVE-2026-41017

Apache Airflow's JWTRefreshMiddleware set the JWT auth cookie without the Secure flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default...

CVE-2026-42253

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

CVE-2026-42253

CVE-2026-42253 affects Apache ActiveMQ and Apache ActiveMQ Web. The vulnerability arises in the MessageServlet of the web console API, which copies every JMS message property into HTTP response headers without validation, enabling potential HTTP header injection and cross-site scripting via JMS m...

CVE-2026-42253 Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

Security update for ignition

This update for ignition fixes the following issue CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265751. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or...

SUSE-SU-2026:2194-1 Security update for ignition

This update for ignition fixes the following issue - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265751...

Security update for ignition

This update for ignition fixes the following issue CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265751. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or...

MOVEit Transfer - Remote Code Execution

In Progress MOVEit Transfer before 2021.0.6 13.0.6, 2021.1.4 13.1.4, 2022.0.4 14.0.4, 2022.1.5 14.1.5, and 2023.0.1 15.0.1, a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database...

Cisco HyperFlex HX Data Platform - Arbitrary File Upload

Cisco HyperFlex HX Data Platform contains an arbitrary file upload vulnerability in the web-based management interface. An attacker can send a specific HTTP request to an affected device, thus enabling upload of files to the affected device with the permissions of the tomcat8 user. id:...

FreeIPA - XML Entity Injection

Access to external entities when parsing XML documents can lead to XML external entity XXE attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests. id: CVE-2022-2414 info: name: FreeIPA - XML Entity Injection...

Hoverfly < 1.10.3 - Arbitrary File Read

Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary...

Jenkins build-metrics 1.3 - Cross-Site Scripting

Jenkins build-metrics 1.3 is vulnerable to a reflected cross-site scripting vulnerability that allows attackers to inject arbitrary HTML and JavaScript into the web pages the plugin provides. id: CVE-2019-10475 info: name: Jenkins build-metrics 1.3 - Cross-Site Scripting author: madrobot severity...

Oracle Fusion Middleware WebCenter Sites - Cross-Site Scripting

The Oracle WebCenter Sites component of Oracle Fusion Middleware is susceptible to multiple instances of cross-site scripting that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebCenter Sites. Impacted versions that are affected are 11.1.1.8.0, 12.2.1.2....

CData API Server < 23.4.8844 - Path Traversal

A path traversal vulnerability exists in the Java version of CData API Server 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application. id: CVE-2024-31848 info: name: CData API Server...

Ivanti Connect Secure - XXE

Ivanti Connect Secure is vulnerable to XXE XML External Entity injection. id: CVE-2024-22024 info: name: Ivanti Connect Secure - XXE author: watchTowr severity: high description: | Ivanti Connect Secure is vulnerable to XXE XML External Entity injection. impact: | Successful exploitation of this...

.NET Framework - Leaking ObjRefs via HTTP .NET Remoting

.NET Framework Information Disclosure Vulnerability id: CVE-2024-29059 info: name: .NET Framework - Leaking ObjRefs via HTTP .NET Remoting author: iamnoooob,rootxharsh,DhiyaneshDk,pdresearch severity: high description: .NET Framework Information Disclosure Vulnerability impact: | Attackers can...

Likeshop < 2.5.7.20210311 - Arbitrary File Upload

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an...