Unity Linux 20.1070e Security Update: velocity-tools (UTSA-2026-016718)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016718 advisory. The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an X...

Fedora 44 : cockpit (2026-ac9d9c87c8)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-ac9d9c87c8 advisory. Automatic update for cockpit-362-1.fc44. Changelog for cockpit Wed May 20 2026 Packit - 362-1 - Bug fixes and translation updates - Fix arbitrary code...

PT-2026-42752

Name of the Vulnerable Software and Affected Versions Sync-in versions prior to 2.3 Description An issue exists in the URL download feature where the private IP blocklist regex fails to match IPv4-mapped IPv6 addresses, such as ::ffff:127.0.0.1. On dual-stack systems, Node.js may report a socket'...

CVE-2026-8414

creationtimestamp| type| source ---|---|--- 2026-05-21 23:17:44+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmfkjd6ocp2q...

CVE-2026-8411

creationtimestamp| type| source ---|---|--- 2026-05-21 22:48:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmfiubuila2q...

CVE-2026-8139

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with...

CVE-2026-8139

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with...

CVE-2026-8139 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with...

CVE-2026-8139

Concrete CMS versions 9.5.0 and earlier are vulnerable to stored XSS on the external-link page cvName due to updateCollectionAliasExternal bypassing sanitization. The issue is triggered by the sanitize bypass in updateCollectionAliasExternal, enabling stored scripts delivered to users. Affected p...

CVE-2026-8139 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with...

CVE-2026-47114

creationtimestamp| type| source ---|---|--- 2026-05-21 21:00:53+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmfculcztd2l 2026-06-05 11:01:43+00:00| seen| https://bsky.app/profile/keiwork35.bsky.social/post/3mnjyezeuae22...

FlaskBB: SSRF in get_image_info() via unrestricted avatar URL

Summary A Server-Side Request Forgery SSRF vulnerability in getimageinfo allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services e.g., AWS 169.254.169.254. This is a blind SSRF with confirmed internal port scanning...

USN-8294-1: PostgreSQL vulnerabilities

It was discovered that PostgreSQL did not correctly enforce authorization for CREATE TYPE. An attacker could possibly use this issue to execute arbitrary SQL functions. CVE-2026-6472 It was discovered that PostgreSQL incorrectly handled large user input in multiple server features. An attacker...

CVE-2026-48527

creationtimestamp| type| source ---|---|--- 2026-05-21 20:37:15+00:00| published-proof-of-concept| https://github.com/haxtheweb/issues/security/advisories/GHSA-g2g8-95qg-v35h 2026-05-29 15:37:37+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmyuju2ije22 2026-05-30 23:01:15+00:00|...

NPM: NocoDB: Shared-base link access can invite arbitrary users as persistent base members

NPM: NocoDB: Shared-base link access can invite arbitrary users as persistent base members vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...

Missing Authorization

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Missing Authorization via the AclMiddleware in the request authorization path. An attacker can invite users or enumerate base members by sending userInvite or baseUserList requests from a shared-base session. This...

Allocation of Resources Without Limits or Throttling

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AttachmentsService upload-by-URL path in the attachment handling code. An attacker can exhaust storage or processing resources by providing a remote fil...

CVE-2026-48526

creationtimestamp| type| source ---|---|--- 2026-05-21 20:35:04+00:00| published-proof-of-concept| https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx 2026-05-28 17:38:22+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmwksx74os2e 2026-06-04 08:21:13+00:00|...

CVE-2026-48213

creationtimestamp| type| source ---|---|--- 2026-05-21 19:22:16+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmf5ebuiop2c...

Exploit for Link Following in Microsoft

🛡️ CVE-2026-41091 - RedSun Microsoft Defender Elevation...