CVE-2026-9039 Initialization of a resource with an insecure default in XCharge C6

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013288)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013288 advisory. An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection in the Apple MDM profile delivery pipeline. An attacker can access or modify sensitive database contents, such as user credentials, API tokens, and device enrollment secrets, by sending a malicious UDID during the MDM...

Cross-Site Scripting

Home Assistant is vulnerable to Cross-Site Scripting. The vulnerability is due to an authenticated party adding a malicious name to their device entity, where the malicious name allows for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that...

EUVD-2026-16774

Home Assistant has stored XSS in Map-card through malicious device name...

GHSA-R584-6283-P7XC Home Assistant has stored XSS in Map-card through malicious device name

Summary An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point The lines or the dots...

Home Assistant has stored XSS in Map-card through malicious device name

Summary An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point The lines or the dots...

CVE-2026-33044

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see ...

CVE-2026-33044

CVE-2026-33044 affects Home Assistant. An authenticated party can set a malicious name on a device entity, enabling stored XSS in dashboards containing a Map-card when a user hovers an information point. Vulnerable since 2020.02 up to 2026.01; fixed in 2026.01. The issue impacts dashboards visibl...

CVE-2026-33044

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see ...

CVE-2026-33044 Home Assistant has stored XSS in Map-card through malicious device name

Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see ...

EUVD-2026-15254

In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not ha...

EUVD-2026-15219

In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not...

UBUNTU-CVE-2026-23290

In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not...

CVE-2026-23312

In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not ha...

CVE-2026-23365 net: usb: kalmia: validate USB endpoints

In the Linux kernel, the following vulnerability has been resolved: net: usb: kalmia: validate USB endpoints The kalmia driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not ha...

CVE-2026-23312 net: usb: kaweth: validate USB endpoints

In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not ha...

CVE-2026-23290 net: usb: pegasus: validate USB endpoints

In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not...

USN-8119-1 systemd vulnerabilities

It was discovered that systemd incorrectly handled certain cgroup paths. A local attacker could possibly use this issue to cause systemd to crash, resulting in a denial of service. CVE-2026-29111 It was discovered that the systemd udev component incorrectly handled certain fields received from th...

CVE-2025-46305

The issue was addressed with improved bounds checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Sonoma 14.8.4. A malicious HID device may cause an unexpected process crash...