GHSA-RC95-PCM8-65V9 Quarkus has Authentication/Authorization bypasses

Quarkus version 3.32.4 is vulnerable to an authorization bypass issue GHSL-2026-099, in which semicolons matrix parameters in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources. Unauthenticated or lower-privileged users can...

CVE-2026-42376

D-Link DIR-456U Hardware Revision A1 End-of-Life, EOL contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username "Alphanetworks" and the static password "whdrv01dlobdir456U" read from /etc/config/imagesign. The custom telnetd...

CVE-2026-42079 PPTAgent: Arbitrary Code Execution via Python eval() of LLM-Generated Code with Builtins in Scope

PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval of LLM-generated code with builtins in scope. This issue has been patched via commit 418491a...

EUVD-2026-27012

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists...

CVE-2026-26956

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5...

JLSEC-2026-395

When curl 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client...

JLSEC-2026-432 libcurl accidentally skips the certificate verification for QUIC connections when connecting to a...

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks...

Security Bulletin:ACE Vulnerability in QOS.CH Logback-core 1.5.24: Class Instantiation via Compromised Configuration File

Summary ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a...

Security Bulletin:Safe Join Function Vulnerability Fixed in Werkzeug v3.1.6

Summary Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safejoin function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fac...

USN-8229-1: sed vulnerability

Michał Majchrowicz and Marcin Wyczechowski discovered that sed incorrectly handled symbolic links when performing in-place edits. A local attacker could possibly use this issue to overwrite arbitrary files...

USN-8229-1 sed vulnerability

Michał Majchrowicz and Marcin Wyczechowski discovered that sed incorrectly handled symbolic links when performing in-place edits. A local attacker could possibly use this issue to overwrite arbitrary files...

CVE-2026-43861

mutt before 2.3.2 does not check for '\0' in urlpctdecode...

CVE-2026-40974

A flaw was found in Spring Boot's Cassandra auto-configuration. This vulnerability allows an adjacent attacker to bypass hostname verification during SSL Secure Sockets Layer connection establishment to Cassandra. This could enable a man-in-the-middle attack, potentially leading to unauthorized...

CVE-2026-7724 PrefectHQ prefect Webhook/Notification validate_restricted_url toctou

A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validaterestrictedurl of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is...

Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel

CVE-2026-31431 — Copy Fail Linux Kernel LPE Educational rew...

Apache Polaris 输入验证错误漏洞

Apache Polaris is a data management and query service component of the Apache Foundation. Version 1.4.0 of Apache Polaris contains a vulnerability related to input validation. This vulnerability arises from the acceptance of literal asterisk characters in namespace and table names without proper...

nimrc 1.0.0

nimrm is a native WinRM interactive shell client written in Nim. It's designed to be a compact and fast tool for system administration and authorized security testing. Key features include NTLM and Kerberos authentication, in-memory operations, file transfers, OPSEC awareness, and cross platform...

PT-2026-36857

Name of the Vulnerable Software and Affected Versions PPTAgent versions prior to commit 418491a Description An agentic framework for reflective PowerPoint generation allows arbitrary code execution. This occurs because the software uses the Python eval function to process code generated by a Larg...

PT-2026-37183

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.3.10 Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4 Description A man-in-the-middle attacker can cause the starttls function to return successfully without...

PT-2026-36924

ITEMS ADDED: Filters Add filter for Atmos PM-5173 Filters Add filter for audio layout PM-5118 Filters Add filters for video, audio, and subtitle codecs PM-5117 Metadata Add support for RottenTomatoes audience and average ratings to Nfo parser PM-5176 Metadata Detect Dolby Atmos PM-4004 Metadata...