Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-007499)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007499 advisory. In the Linux kernel, the following vulnerability has been resolved: ethtool: Fix uninitialized number of lanes It is not possible to set the number of lanes when...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007544)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007544 advisory. In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copythresh allocation failure The driver did not handle failure of...

Mobatek MobaXterm 安全漏洞

Mobatek MobaXterm is a terminal software developed by the French company Mobatek. It integrates an enhanced terminal, X servers, and Unix command sets GNU/Cygwin. The Mobatek MobaXterm Home Edition 26.1 and earlier versions have security vulnerabilities. These vulnerabilities stem from an unknown...

BIT-AUTHENTIK-2025-52553 authentik has Insufficient Session verification for Remote Access Control endpoint access

authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, howev...

BIT-AUTHENTIK-2023-26481 Insufficient user check in FlowTokens by Email stage

authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin or sent via email by an admin can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an...

SUSE CVE-2026-40947

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path...

CVE-2026-40900

creationtimestamp| type| source ---|---|--- 2026-04-16 23:18:23+00:00| published-proof-of-concept| Telegram/x6U1CUbtpfWdw00zGhzow4OOkK7AiEHUVbiM6o3SMYH6zs0 2026-04-17 00:21:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjnnruzhip2k 2026-04-20 20:32:29+00:00| seen|...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An attacker can execute arbitrary JavaScript in the context...

Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization

Summary MarkdownBody, the shared component used to render every Markdown surface in the Paperclip UI issue documents, issue comments, chat threads, approvals, agent details, export previews, etc., passes urlTransform=url = url to react-markdown. That override replaces react-markdown's built-in...

CVE-2026-33122

creationtimestamp| type| source ---|---|--- 2026-04-16 21:20:19+00:00| published-proof-of-concept| Telegram/Aucjp3CgnELaS6Gr5NTHztcQZsmAAmJEC2bwRSYMi6Gi6QU 2026-04-20 21:00:37+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjxefktdwk2c...

CVE-2026-40933

creationtimestamp| type| source ---|---|--- 2026-04-16 21:18:17+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-c9gw-hvqq-f33r 2026-04-17 01:18:30+00:00| seen| https://bsky.app/profile/cyberlensai.bsky.social/post/3mjnqwtsarh26 2026-04-21 22:51:58+00:00| seen|...

CVE-2018-14028

creationtimestamp| type| source ---|---|--- 2026-04-16 21:02:31+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mjncncas7o2e...

CVE-2026-41433

creationtimestamp| type| source ---|---|--- 2026-04-16 21:01:04+00:00| published-proof-of-concept| https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-8gmg-3w2q-65f4 2026-05-14 22:07:07+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mlttclqwvi2...

CVE-9999-0001

creationtimestamp| type| source ---|---|--- 2026-04-16 20:56:05+00:00| seen| https://bsky.app/profile/atomicedge.bsky.social/post/3mjncbsr4sl2l 2026-04-16 22:56:34+00:00| seen| https://bsky.app/profile/atomicedge.bsky.social/post/3mjniyect222c...

Weblate: Arbitrary File Read via Symlink

Impact The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository. Patches https://github.com/WeblateOrg/weblate/pull/18683 References Thanks to @DavidCarliez for reporting this vulnerability via GitHub...

GHSA-VJ45-X3PJ-F4W4 Weblate: Improper access control for pending tasks in API

Impact The API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. Patches https://github.com/WeblateOrg/weblate/pull/18515 Workarounds The attacker needs to guess the random UUID of the task, so...

Malicious code in chai-as-optimized (npm)

chai-as-optimized is a malicious npm package that when imported downloads a C2 dropper from https://api.npoint.io/0ac7efbc0b6b1a53b305 and executes it similar to malware in to chai-await-test. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

CVE-2026-5426

creationtimestamp| type| source ---|---|--- 2026-04-16 18:04:10+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjmymffdvg2t 2026-04-17 00:00:41+00:00| seen| https://infosec.exchange/users/offseq/statuses/116417104416675988 2026-04-17 00:00:42+00:00| seen|...

CVE-2026-40308

creationtimestamp| type| source ---|---|--- 2026-04-16 17:52:10+00:00| published-proof-of-concept| https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch 2026-04-16 23:18:29+00:00| published-proof-of-concept| Telegram/uUtOgPMgnfpzQaGdgE5uvRP8Wc5QVkmzi4lAg5HL6Ws0-I...

EUVD-2026-23231

An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message...