GHSA-XJ5X-M3F3-5X3H Electron: Service worker can spoof executeJavaScript IPC replies

Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered...

PT-2026-30008

Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered...

PT-2026-30010

Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...

CVE-2026-26352

Smoothwall Express versions prior to 3.1 Update 13 contain a stored cross-site scripting vulnerability in the /cgi-bin/vpnmain.cgi script due to improper sanitation of the VPNIP parameter. Authenticated attackers can inject arbitrary JavaScript through VPN configuration settings that executes whe...

CVE-2026-5186

A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbiloadgifmain of the file stbimage.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and...

PT-2026-29061

Name of the Vulnerable Software and Affected Versions Smoothwall Express versions prior to 3.1 Update 13 Description Smoothwall Express is affected by a stored cross-site scripting issue in the /cgi-bin/vpnmain.cgi script. The issue stems from insufficient input validation of the VPN IP parameter...

com.linkedin.transport:transportable-udfs-test-trino (>=0.1.19 <=0.1.22), com.linkedin.transport:transportable-udfs-trino-plugin (>=0.1.19 <=0.1.22) +8 more potentially affected by CVE-2026-34214 via io.trino:trino-main (>=439 <=479)

io.trino:trino-main MAVEN version =439, =0.1.19, =0.1.19, =464, =439, =472, =439, =439, =439, =439, =464, =472 Source cves: CVE-2026-34214 Source advisory: SNYK:JAVA-IOTRINO-15857194...

NewStart CGSL MAIN 7.02 : expat Vulnerability (NS-SA-2026-0035)

The remote NewStart CGSL host, running version MAIN 7.02, has expat packages installed that are affected by a vulnerability: - An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms where UINTMAX equals SIZEMAX...

CVE-2026-27166

Discourse is an open source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1 and 2026.1.2, insufficient cleanup in the default Codepen allowed iframes value allows an attacker to trick a user into changing the URL of the main page. This issue has been fixed in versions...

africa.shuwari.sbt:sbt-js_2.12_1.0 (=0.16.1), africa.shuwari.sbt:sbt-netbeans_2.12_1.0 (>=0.1.0 <=0.1.1) +341 more potentially affected by CVE-2026-32948 via org.scala-sbt:main_2.12 (>=1.0.0-M5 <=1.12.6)

org.scala-sbt:main2.12 MAVEN version =1.0.0-M5, =0.1.0, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.12.1, =0.14.1, =0.12.1, =0.0.1, =0.0.5 - br.com.mobilemind:livereload2.121.0 =0.2.10 - build.bleep:sbt-export-dependencies2.121.0 =0.4.0 and more Source cves: CVE-2026-32948 Source advisory:...

org.scala-sbt:sbt (>=0.99.2 <=1.0.0-M4), org.scala-sbt:scripted-plugin_2.10 (>=0.99.2 <=1.0.0-M4) +1 more potentially affected by CVE-2026-32948 via org.scala-sbt:main_2.11 (>=0.99.2 <=1.0.0-M4)

org.scala-sbt:main2.11 MAVEN version =0.99.2, =0.99.2, =0.99.2, =0.99.2, =1.0.0-M4 Source cves: CVE-2026-32948 Source advisory: SNYK:JAVA-ORGSCALASBT-15763414...

Path Traversal

PyMuPDF is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths in the embedded get function in main.py, allowing attackers to manipulate paths and write files outside the intended directory, leading to arbitrary file write...

[SECURITY] Fedora 43 Update: libsoup3-3.6.6-2.fc43

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications...

CVE-2026-4499

A vulnerability was determined in D-Link DIR-820LW 2.03. Affected is the function ssdpcgimain of the component SSDP. Executing a manipulation can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized...

CVE-2026-4499

CVE-2026-4499 affects D-Link DIR-820LW firmware 2.03. The vulnerability targets the SSDP component’s ssdpcgi_main function, where manipulation can lead to an OS command injection. The issue can be exploited remotely over the network, and public disclosures indicate an exploit exists. Connections ...

OESA-2026-1677 python-tornado security update

Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setti...

RUSTSEC-2026-0050 `tokio-uds` is unmaintained

The tokio-uds crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

RUSTSEC-2026-0057 `tokio-reactor` is unmaintained

The tokio-reactor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

`tokio-executor` is unmaintained

The tokio-executor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

RUSTSEC-2026-0059 `tokio-tcp` is unmaintained

The tokio-tcp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...