UBUNTU-CVE-2026-4527

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a specially crafted link due...

CVE-2026-4527

GitLab CI/CD CSRF vulnerability CVE-2026-4527 affects GitLab CE/EE across all versions 11.10–18.{/* placeholder */} 18.9.7, all 18.10 before 18.10.6, and 18.11 before 18.11.3. Root cause is missing CSRF protection that could allow an unauthenticated user to create unauthorized Jira subscriptions ...

EUVD-2026-30230

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a specially crafted link due...

CVE-2026-4527 Cross-Site Request Forgery (CSRF) in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a specially crafted link due...

CVE-2026-45712

creationtimestamp| type| source ---|---|--- 2026-05-14 04:53:15+00:00| published-proof-of-concept| https://github.com/axllent/mailpit/security/advisories/GHSA-w4vj-r5pg-3722...

CVE-2026-46419

creationtimestamp| type| source ---|---|--- 2026-05-14 03:54:29+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mlrwasixhi2k...

CVE-2026-7635

creationtimestamp| type| source ---|---|--- 2026-05-14 03:41:30+00:00| seen| https://bsky.app/profile/donwebmedia.bsky.social/post/3mlrvjm2bpx2s 2026-05-16 13:32:06+00:00| seen| https://bsky.app/profile/atomicedge.bsky.social/post/3mlxxhjeuuq2s...

CVE-2026-6929

creationtimestamp| type| source ---|---|--- 2026-05-14 02:50:33+00:00| seen| https://bsky.app/profile/donwebmedia.bsky.social/post/3mlrsoimqbh24...

CVE-2026-32991

creationtimestamp| type| source ---|---|--- 2026-05-14 02:46:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlrsgkjgte2e 2026-05-20 06:20:46+00:00| seen| https://www.acn.gov.it/portale/w/cpanel-whm-e-wp-squared-poc-pubblico-per-lo-sfruttamento-della-cve-2026-29205 2026-05-20...

CVE-2026-45138

creationtimestamp| type| source ---|---|--- 2026-05-14 01:57:30+00:00| published-proof-of-concept| https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-2m69-jmvh-6chr...

CVE-2026-45053

creationtimestamp| type| source ---|---|--- 2026-05-14 01:00:51+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlrmkdeov42p...

CVE-2026-44380

creationtimestamp| type| source ---|---|--- 2026-05-14 00:13:16+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlrjvangu42k...

PT-2026-41155

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 Description The password reset flow in the resetRequest route of the modules/@apostrophecms/login/index.js component constructs the reset URL using req.hostname. When apos.baseUrl is not explicitly...

PT-2026-40867

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 11.10 through 18.9.6 GitLab CE/EE versions 18.10 through 18.10.5 GitLab CE/EE versions 18.11 through 18.11.2 Description Missing Cross-Site Request Forgery CSRF protection—a flaw where an attacker tricks a victim into...

PT-2026-41146

Summary render toc ul builds a table-of-contents tree from a list of level, id, text tuples. Both the id value used as href="" and the text value used as the visible link label are inserted into tags via a plain Python format string — with no HTML escaping applied to either value. When heading ID...

PostgreSQL 安全漏洞

PostgreSQL is a set of free object-relational database management systems developed by the PostgreSQL organization. This system supports most SQL standards and offers many other features, such as foreign keys, triggers, views, etc. Vulnerabilities existed in versions prior to PostgreSQL 18.4,...

Medium: amazon-ecr-credential-helper

Issue Overview: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow in the Go compiler cmd/compile. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption in programs compiled with...

CVE-2025-27852

The locally served web site on the Garmin WDU v1 1.4.6 and v2 5.0 allows a reflected cross site scripting XSS attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is...

CVE-2026-45055 CubeCart: Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header

CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CCSTOREURL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded verbatim into transactional email links, most critically the password-reset link in...

CVE-2026-45055

CubeCart pre-authenticated password reset link poisoning via HTTP Host header (affecting 6.6.x–6.7.1) allows an unauthenticated attacker to cause password-reset tokens to be sent to a victim with a malicious domain (evil.com). Builds CC_STORE_URL from Host header without allowlist, embedding the ...