CVE-2026-26060

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the...

CVE-2025-15612 Wazuh Provisioning Scripts / Build Infrastructure Improper Certificate Validation leading to MITM and RCE

Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies o...

CVE-2025-15612

CVE-2025-15612 concerns Wazuh provisioning scripts and Dockerfiles where curl is invoked with -k/--insecure, skipping SSL/TLS certificate validation. The concrete details across connected documents show: affected component is the provisioning/build infrastructure; root cause is insecure transport...

GHSA-364X-8G5J-X2PR n8n has XSS in its Credential Management Flow

Impact An authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execut...

GHSA-453R-G2PG-CXXQ Local Incus UI web server vulnerable to nuthentication bypass

Summary The web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. Details incus webui runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token...

CVE-2026-33477

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint /api/file/snippet.php allows an authenticated user with only readown access to a folder to retrieve snippet content from files upload...

OESA-2026-1747 mongo-c-driver security update

mongo-c-driver is a project that includes two libraries: libmongoc, a client library written in C for MongoDB. libbson, a library providing useful routines related to building, parsing, and iterating BSON documents. Security Fixes: A compromised third party cloud server or man-in-the-middle...

OESA-2026-1743 mongo-c-driver security update

mongo-c-driver is a project that includes two libraries: libmongoc, a client library written in C for MongoDB. libbson, a library providing useful routines related to building, parsing, and iterating BSON documents. Security Fixes: A compromised third party cloud server or man-in-the-middle...

Microsoft Edge (Chromium-based) Defense in Depth Vulnerability - Rejected

...

CVE-2026-4340

REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage...

RLSA-2026:4705 Moderate: nginx security update

nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fixes: nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied connections CVE-2026-1642 For more details about the security issues,...

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

Threat actors are using adversary-in-the-middle AitM phishing pages to seize control of TikTok for Business accounts in a new campaign, according to a report from Push Security. Business accounts associated with social media platforms are a lucrative target, as they can be weaponized by bad actor...

WordPress Plugin "OpenStreetMap" vulnerable to cross-site scripting

Overview WordPress Plugin "OpenStreetMap" provided by MiKa contains the following vulnerability. Cross-site scripting CWE-79 - CVE-2026-33559 Naoya Takahashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact O...

EUVD-2026-16553

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user...

Wazuh 安全漏洞

Wazuh is an open-source application developed by Wazuh. It is used for collecting, summarizing, indexing, and analyzing security data, helping organizations detect intrusions, threats, and abnormal behaviors. Wazuh has security vulnerabilities, which stem from the use of insecure transmission...

PT-2026-28495

Name of the Vulnerable Software and Affected Versions WordPress Plugin OpenStreetMap versions affected versions not specified Description The OpenStreetMap WordPress plugin by MiKa has a cross-site scripting issue. A user logged in with page creation or editing rights can inject malicious script...

Ubiquiti UniFi Network Controller 信任管理问题漏洞

The Ubiquiti UniFi Network Controller is a control software platform developed by the American company Ubiquiti, designed for centralized management and monitoring of network devices. Versions prior to 5.10.22 and 5.11.18, as well as the 5.11.x series, contained vulnerabilities related to trust...

Linux Distros Unpatched Vulnerability : CVE-2026-33898

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication...

AWS SDK for .NET: Improper escaping of special characters in CloudFront policy document construction

This notification is related to the CloudFront signing utilities in the AWS SDK for .NET, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and...

CVE-2025-14808

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques...