SUSE CVE-2026-44059

A race condition in the privilege toggle mechanism in Netatalk 2.2.5 through 4.4.2 allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption...

PT-2026-42727

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splw update block options and lwp clean weather transients functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers...

WordPress Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Structure Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Form Structure Modification vulnerability discovered by Thanh Toan Bui in WordPress Plugin Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder versions = 1.1.1...

CVE-2026-48236

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in dbloader.php where the multiple POST parameters ticketsdb, ticketshost, ticketsuser, ticketspassword are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database withou...

CVE-2026-48232

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsitincidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modif...

EUVD-2026-31311

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters tablename, indexname, sortby are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization. Authenticated...

WordPress Location Weather – WordPress Weather Forecast, AQI, Temperature and Weather Widget plugin <= 3.0.2 - Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging vulnerability

Missing Authorization to Authenticated Contributor+ Block Settings Modification and Cache Purging vulnerability discovered by momopon1415 in WordPress Plugin Location Weather versions = 3.0.2...

CVE-2026-44063

A flaw was found in Netatalk. This vulnerability, an LDAP filter injection, allows a remote attacker with low privileges to manipulate LDAP queries. This could lead to the disclosure of sensitive information or unauthorized modification of data within the LDAP directory...

CVE-2026-34926

CVE-2026-34926 concerns the on‑premise Apex One server, where a directory traversal flaw could let a pre‑authenticated local attacker with admin access modify a server key table to inject code that is deployed to agents. The vulnerability is limited to the on‑premise deployment; no public exploit...

CVE-2026-7837

A flaw was found in Netatalk. A remote attacker may exploit a time-of-check time-of-use TOCTOU condition, where the state of a resource is checked, and then used, but the state changes between the check and the use. This condition, specifically in the adflush function, involves root-privileged fi...

CVE-2026-7837

A time-of-check time-of-use TOCTOU condition in the adflush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions...

MAL-2026-4393 Malicious code in @hanssoft/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 063fa3a06df50a8c53c5eb05ac4d1214e6fa1edfb18d03c8484fa2014190659a Package name impersonates the well-known libsignal-node Signal Protocol library and ships a verbatim copy of its README, but the code is unrelated. O...

BIT-DRUPAL-2026-6366 Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7...

CVE-2026-7837 TOCTOU with root privilege in ad_flush

A time-of-check time-of-use TOCTOU condition in the adflush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions...

CVE-2026-7837 TOCTOU with root privilege in ad_flush

A time-of-check time-of-use TOCTOU condition in the adflush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions...

CVE-2026-7837

CVE-2026-7837 is a TOCTOU vulnerability in Netatalk 3.0.0 through 4.4.2 affecting the ad_flush function. The issue involves root-privileged file operations and could allow a remote attacker to cause limited data modification under specific race conditions. The NVD entry documents a Network attack...

EUVD-2026-31245

A time-of-check time-of-use TOCTOU condition in the adflush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions...

CVE-2026-7837

A time-of-check time-of-use TOCTOU condition in the adflush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions...

CVE-2026-7836

An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input...

CVE-2026-7836

An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input...