PT-2026-35914

Name of the Vulnerable Software and Affected Versions Jenkins Credentials Binding Plugin versions prior to 719.v80e905ef14eb Description Insufficient sanitization of file names for file and zip file credentials allows attackers who can provide credentials to a job to write files to arbitrary...

PT-2026-37115

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Resources.Azure versions prior to 1.15.0-beta.2 Description The AzureVmMetaDataRequestor function makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without a size limit. An...

Improper Validation of Specified Quantity in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input due to improper handling of oversized Subject Alternative Name fields during certificate validation. An attacker can bypass certificate validation by crafting a certificate with an...

DEBIAN-CVE-2026-7346

Inappropriate implementation in Tint in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Chromium security severity: High...

CVE-2026-7346

Inappropriate implementation in Tint in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Chromium security severity: High...

CVE-2026-7338

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. Chromium security severity: High...

EUVD-2026-26094

OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration data to obtain plaintext signing keys used for Nostr protocol operations...

April "In the Trend of VM" (#26): one Microsoft SharePoint vulnerability

April "In the Trend of VM" 26: one Microsoft SharePoint vulnerability. Presenting the traditional monthly roundup of trending vulnerabilities according to Positive Technologies. Once again, it is single-vendor, Microsoft-related, and this time it could not be more compact. While the previous Marc...

CLSA-2026-1777393442 openssh: Fix of CVE-2026-35414

CVE-2026-35414: fix incorrect matching of principals in the authorizedkeys principals="..." option when a certificate principal contains a comma character...

GHSA-4G9C-3X4P-MFPP Spring gRPC SecurityContext leaks across requests upon authorization failure

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions:...

CVE-2026-40550

mpGabinet is vulnerable to Privilege Escalation due to excessive database privileges assigned to the user used by the application. An attacker with access to any running application instance connected to the backend server can extract database credentials from the application’s memory by inspecti...

CVE-2026-7320

Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1...

Five defender priorities from the Talos Year in Review

A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures -- all without code. One such case was recently...

CVE-2026-40550

mpGabinet is vulnerable to Privilege Escalation due to excessive database privileges assigned to the user used by the application. An attacker with access to any running application instance connected to the backend server can extract database credentials from the application’s memory by inspecti...

CVE-2026-40970

A flaw was found in Spring Boot. When configured to use an SSL Secure Sockets Layer bundle, the Elasticsearch auto-configuration component does not perform hostname verification when establishing a connection to the Elasticsearch server. An attacker on an adjacent network could exploit this by...

RLSA-2026:10767 Important: firefox security update

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS CVE-2026-6772 firefox: thunderbird: Use-after-free in the JavaScript Engine compone...

MINI-QW6W-5W6C-QHCH

Bulletin has no description...

Improper Validation of Certificate with Host Mismatch

Overview org.apache.thrift:libthrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC. Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to insufficient verificatio...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the skip function. An attacker can cause a crash or read unintended memory by providing specially crafted input that triggers an out-of-bounds access. Remediation Upgrade thrift to version 0.23.0 or higher...

MINI-QJXC-V9JP-6V38

Bulletin has no description...