PT-2026-26156

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

PT-2026-26218

Name of the Vulnerable Software and Affected Versions Drupal Automated Logout versions 0.0.0 through 1.6.9 Drupal Automated Logout versions 2.0.0 through 2.0.1 Description The Automated Logout module for Drupal does not adequately protect its routes against Cross-Site Request Forgery CSRF. This...

kube-router 安全漏洞

Kube-router is a Kubernetes networking solution open sourced by CloudNative Labs. Versions of Kube-router prior to 2.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the proxy module not verifying the externalIPs or loadBalancer IPs, which could lead to improper network...

Devise 竞争条件问题漏洞

Devise is an open-source authentication solution based on Warden, developed by heartcombo. Versions of Devise prior to 5.0.3 had a race condition vulnerability, which stemmed from a race condition in the Confirmable module. This vulnerability could allow attackers to confirm email addresses that...

grub2 security update

2.06-114.0.1.el97.1 - Update grub2 dependencies to match new Secure Boot certificate chain of trust Orabug: 37766761 - Fix typo in SBAT metadata Orabug: 37693946 - Allow installation of grub2 only with shim-aa64 that allows booting it Orabug: 37693946 - net/dns: Fix removal of DNS server Orabug:...

glances 安全漏洞

Glances is a system monitoring tool developed by Nicolas Hennion. Versions of Glances prior to 4.5.3 contained security vulnerabilities. These vulnerabilities stemmed from the DuckDB export module, where table names and column names were directly inserted into SQL statements, potentially leading ...

EulerOS Virtualization 2.13.1 : kernel (EulerOS-SA-2026-1637)

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : scsi: target: Fix WRITESAME No Data Buffer crashCVE-2022-21546 iommu/arm-smmu-v3-sva: Fix mm use-after-freeCVE-2022-49426 module: f...

FreePBX Filestore Module Exposure Scanner

This python script is a lightweight security scanner designed to detect installations of FreePBX and check basic indicators related to the vulnerability CVE-2025-64328...

EulerOS Virtualization 2.13.1 : grub2 (EulerOS-SA-2026-1636)

According to the versions of the grub2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A vulnerability has been identified in the GRUB Grand Unified Bootloader component. This flaw occurs because the bootloader mishandl...

CVE-2026-27977 Next.js: null origin can bypass dev HMR websocket CSRF checks

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing...

CVE-2026-2809 Endpoint DLP Driver DLL

Netskope was notified about a potential gap in its Endpoint DLP Module for Netskope Client on Windows systems. The successful exploitation of the gap can potentially allow a privileged user to trigger an integer overflow within the DLL Injector, leading to a Blue-Screen-of-Death BSOD. Successful...

CVE-2026-2809

CVE-2026-2809 concerns Netskope’s Endpoint DLP Driver DLL Injector on Windows. Reported as a potential integer overflow in the DLL Injector, exploiting it may cause a local BSOD and denial of service, with exploitation requiring the Endpoint DLP module to be enabled in the client configuration. C...

grub2: Missing unregister call for gettext command may lead to use-after-free

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the applicati...

grub2: Missing unregister call for gettext command may lead to use-after-free

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the applicati...

grub2: Missing unregister call for gettext command may lead to use-after-free

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the applicati...

GHSA-57HQ-95W6-V4FC Devise has a confirmable "change email" race condition permits user to confirm email they have no access to

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

grub2: Missing unregister call for gettext command may lead to use-after-free

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the applicati...

Next.js: null origin can bypass dev HMR websocket CSRF checks

Summary In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server...

EUVD-2026-12683

Next.js: null origin can bypass dev HMR websocket CSRF checks...

CVE-2025-13406

NULL Pointer Dereference vulnerability in Softing Industrial Automation GmbH smartLink SW-HT Webserver modules allows HTTP DoS.This issue affects smartLink SW-HT: 1.43...