CVE-2026-5788

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods...

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the proxy trap methods in createBridge in the bridge handler code. An attacker can leak a handler...

inngest-js 信息泄露漏洞

Inngest-js is an open-source framework developed by Inngest, designed to support various serverless platforms. It serves as a reliable event-driven and background task execution framework. Versions 3.22.0 to 3.53.1 of Inngest-js contain a vulnerability related to information leakage. This...

PT-2026-38455

Name of the Vulnerable Software and Affected Versions Ivanti EPMM versions prior to 12.6.1.1 Ivanti EPMM versions prior to 12.7.0.1 Ivanti EPMM versions prior to 12.8.0.1 Description Improper Access Control allows a remote unauthenticated attacker to invoke arbitrary methods. Recommendations Upda...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview inngest is an Official SDK for Inngest.com. Inngest is the reliability layer for modern applications. Inngest combines durable execution, events, and queues into a zero-infra platform with built-in observability. Affected versions of this package are vulnerable to Exposure of Sensitive...

Code Injection

Apache ActiveMQ is vulnerable to Code Injection. The vulnerability is due to improper input validation and improper control of generation of code, where an attacker can construct a malicious broker name that bypasses name validation to include an xbean binding, and then use the DestinationView...

PT-2026-36737

Name of the Vulnerable Software and Affected Versions GV-VMS V20 Description The WebCam Server feature in GV-VMS allows remote access to management and monitoring via a web interface. The gvapi endpoint utilizes a custom authentication mechanism supporting Basic and Digest modes. A stack overflow...

Zero Day Attacks: Novel Behaviour or Novel Vulnerability?

Zero-day attacks pose severe cybersecurity risks due to their high success rates and stealth. Because signature-based approaches struggle to detect such attacks, building Intrusion Detection Systems IDSs for detecting zero-day attacks is essential. We contend that for an IDS to be effective it mu...

CVE-2026-7605 JeecgBoot uploadImgByHttpEndpoint CommonController.java HttpFileToMultipartFileUtil.downloadImageData server-side request forgery

A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component...

WordPress Disable Payment Methods based on cart conditions for WooCommerce plugin <= 1.16.3 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WooCommerce Disable Payment Methods based on cart conditions versions = 1.16.3...

CVE-2022-50992 Weaver E-cology 9.5 Unauthenticated Arbitrary File Read via XmlRpcServlet

Weaver Fanwei E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and...

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEPDOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batc...

CVE-2026-7111

Text::CSVXS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getlineall methods invoke registered callbacks for example afterparse, beforeprint, or...

[SECURITY] Fedora 43 Update: coturn-4.10.0-1.fc43

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

Evaluating Jailbreaking Vulnerabilities in LLMs Deployed As Assistants for Smart Grid Operations: A Benchmark against NERC Standards

The deployment of Large Language Models LLMs as assistants in electric grid operations promises to streamline compliance and decision-making but exposes new vulnerabilities to prompt-based adversarial attacks. This paper evaluates the risk of jailbreaking LLMs, i.e., circumventing safety alignmen...

Security update for PackageKit

This update for PackageKit fixes the following issue: CVE-2026-41651: Do not allow re-invoking methods on non-new transactions bsc1262220. Special Instructions and Notes: Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zyppe...

Kirby has XML injection in its XML creator toolkit

TL;DR This vulnerability only affects Kirby sites that use the Xml data handler e.g. Data::encode$string, 'xml' or the Xml::create, Xml::tag or Xml::value methods in site or plugin code. The Kirby core does not use any of the affected methods. If consumers use an affected method and cannot rule o...

Linux Distros Unpatched Vulnerability : CVE-2026-41176

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without...

CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...

CVE-2026-41059 OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex; use of patterns...