PT-2026-41196

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5 Description The validate url function in backend/open webui/retrieval/web/utils.py only validates the initial URL provided by the user. Downstream HTTP clients, including sync requests, async aiohttp, and...

EUVD-2026-29922

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text via IMAP, SMTP, or POP3, a subsequent request to that same host bypasses the TLS requirement and instead transm...

CVE-2026-44240

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before...

CVE-2026-44240 basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before...

CLSA-2026-1778614755 dovecot: Fix of 2 CVEs

CVE-2026-27858: managesieve: fix DoS via crafted message before authentication that caused excessive memory allocation - CVE-2025-59032: managesieve: fix crash when AUTHENTICATE command does not finish on the first call literal SASL initial response...

State of ransomware in 2026

With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomware cyberthreat landscape. Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026: New families continue to emerge, adopting...

PT-2026-40037

CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials...

Unity Linux 20.1070e Security Update: postgresql (UTSA-2026-017787)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017787 advisory. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. Tenable ha...

SUSE CVE-2026-24767

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery SSRF vulnerability exists in the uploadViaURL functionality due to an unprotected HEAD request. While the subsequent file retrieval logic correctly enforces SSRF protections, t...

UBUNTU-CVE-2026-43363

In the Linux kernel, the following vulnerability has been resolved: x86/apic: Disable x2apic on resume if the kernel expects so When resuming from s2ram, firmware may re-enable x2apic mode, which may have been disabled by the kernel during boot either because it doesn't support IRQ remapping or f...

CVE-2026-43363

CVE-2026-43363 concerns the Linux kernel x86 APIC subsystem. If, on resume from s2ram (S2/S3 wake), firmware re-enables x2APIC mode after the kernel has booted with x2APIC disabled, the system can run with x2APIC hardware but the kernel uses the xapic interface, leading to hangs. The issue is cau...

RLSA-2026:13857 Important: dovecot security update

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fixes: doveco...

RockyLinux 8 : dovecot (RLSA-2026:13830)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:13830 advisory. dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command CVE-2025-59032 dovecot: denial of service via crafted...

CVE-2026-42222

Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available...

EUVD-2026-27137

Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover...

Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover

Summary An unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. When the instance is still uninitialized, POST /api/install is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets th...

EUVD-2026-27135

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim...

GHSA-H27V-PH7W-M9FP Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Summary An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in...

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Summary An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in...

Oracle Linux 8 : dovecot (ELSA-2026-13830)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-13830 advisory. - fix CVE-2026-27858: denial of service via crafted message before authentication RHEL-161630 - fix CVE-2025-59032: ManageSieve: Denial of Service via...