ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

ERB implements an @init guard to prevent code execution when ERB objects are reconstructed via Marshal.load on untrusted data. However, ERBdefmethod, ERBdefmodule, and ERBdefclass evaluate the template source without checking this guard, allowing an attacker who controls the data passed to...

PT-2026-32334

Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load student.php...

CVE-2026-36873

CVE-2026-36873 affects Sourcecodester Basic Library System v1.0. The vulnerability is a SQL Injection in the administrative loader endpoint at /librarysystem/load_admin.php (variants in copies show /librarysystem/load_admin.php). Evidence from Red Hat, ENISA EUVD, CIRCL, CVE lists confirms the sa...

📄 Cockpit CMS 2.13.5 NoSQL Injection

Cockpit CMS version 2.13.5 is vulnerable to NoSQL operator injection on multiple API endpoints. User-supplied filter objects are forwarded to the Mongolite query engine without stripping MongoDB operators. Authenticated users can bypass intended query filters and perform boolean-based blind queri...

PT-2026-32333

Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load admin.php...

CVE-2026-36873

Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/loadadmin.php...

SourceCodester Basic Library System 安全漏洞

The SourceCodester Basic Library System is an open-source library system developed by SourceCodester. Version 1.0 of the SourceCodester Basic Library System contains a security vulnerability, which stems from an SQL injection vulnerability in the /librarysystem/loadstudent.php file...

SourceCodester Basic Library System 安全漏洞

The SourceCodester Basic Library System is an open-source library system developed by SourceCodester. Version 1.0 of the SourceCodester Basic Library System contains a security vulnerability, which stems from an SQL injection vulnerability in the /librarysystem/loadadmin.php file...

[SECURITY] Fedora 42 Update: trafficserver-10.1.2-1.fc42

Traffic Server is a high-performance building block for cloud services. It's more than just a caching proxy server; it also has support for plugins to build large scale web applications. Key features: Caching - Improve your response time, while reducing server load and bandwidth needs by caching...

SUSE CVE-2026-25854

Occasional URL redirection to untrusted Site 'Open Redirect' vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other,...

GHSA-2G3W-CPC4-CHR4 PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading

PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code via spec.loader.execmodule without explicit user consent,...

EUVD-2026-21569

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexmlloadstring without XXE protection. With LIBXMLNOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3...

CVE-2026-35599

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an On loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far ...

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the addRepeatIntervalToTime function. An attacker can exhaust server resources and render the application unresponsive by creating tasks with extremely small repeat intervals and due dates far ...

Vikunja has Algorithmic Complexity DoS in Repeating Task Handler

Summary The addRepeatIntervalToTime function uses an On loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming...

[SECURITY] Fedora 42 Update: dnsdist-1.9.12-1.fc42

dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic...

[SECURITY] Fedora 43 Update: dnsdist-2.0.3-1.fc43

dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic...

SUSE SLES12 Security Update : bind (SUSE-SU-2026:1229-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:1229-1 advisory. - CVE-2026-1519: high CPU load during insecure delegation validation due to excessive NSEC3 iterations bsc1260805. Tenable has extracted the preceding...

SUSE SLES15 Security Update : bind (SUSE-SU-2026:1230-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1230-1 advisory. - CVE-2026-1519: high CPU load during insecure delegation validation due to excessive NSEC3 iterations bsc1260805. Tenable has extracted the...

GHSA-9M3C-QCXR-9X87 Apache Tomcat has an Open Redirect vulnerability

Occasional URL redirection to untrusted Site 'Open Redirect' vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other,...