CVE-2026-41657 Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php

Admidio is an open-source user management solution. Prior to version 5.0.9, the contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring...

CVE-2026-41657

Summary : Admidio before version 5.0.9 exposed cross-organization member data via the contacts_data.php endpoint due to a weaker permission check (isAdministratorUsers()) compared to the frontend (isAdministrator()) and the contacts_show_all setting. This allowed a user manager (rol_edit_user) wi...

Authorization Bypass Through User-Controlled Key

Overview aegra-api is an Aegra core API - Self-hosted Agent Protocol server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the POST /threads/threadid/runs, POST /threads/threadid/runs/stream, and POST /threads/threadid/runs/wait endpoints...

[SECURITY] Fedora 42 Update: vim-9.2.390-1.fc42

VIM VIsual editor iMproved is an updated and improved version of the vi editor. Vi was the first real screen-based editor for UNIX, and is still very popular. VIM improves on vi by adding new features: multiple windows, multi-level undo, block highlighting and more...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the RESTClientGetter configuration. An attacker can gain unauthorized access to sensitive resources and escalate privileges by exploiting incomplete ServiceAccount impersonation, allowing them to read secrets...

MAGIQ: A Post-Quantum Multi-Agentic AI Governance System with Provable Security

Our computing ecosystem is being transformed by two emerging paradigms: the increased deployment of agentic AI systems and advancements in quantum computing. With respect to agentic AI systems, one of the most critical problems is creating secure governing architectures that ensure agents follow...

Profiling for Pennies: Unveiling the Privacy Iceberg of LLM Agents

Large Language Models LLMs have revolutionized how information are collected, aggregated, and reasoned. However, this enables a novel and accessible vector of privacy intrusion: the automated and in-depth personal profiling; this engenders a chilling effect of "peepers everywhere". Existing...

GHSA-9H64-2846-7X7F Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening

Summary Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a...

Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening

Summary Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a...

GHSA-JMXC-HHWX-GVV3 Private Lemmy instances expose multi-community metadata without authentication

NOTE: Only affects development version. Summary readmulticommunity does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists. Details Other read handler...

Private Lemmy instances expose multi-community metadata without authentication

NOTE: Only affects development version. Summary readmulticommunity does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists. Details Other read handler...

Exploit for Missing Authentication for Critical Function in Cpanel

CVE-2026-41940 — WHM/cPanel Kimlik Doğrulama Atlama Araştırma...

GHSA-55GC-6FMC-FPX9 Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`

Summary A missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belongi...

CVE-2026-28510

eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with...

CVE-2026-43093

A flaw was found in the Linux kernel's xsk AFXDP subsystem due to insufficient validation of the User Memory UMEM headroom. This vulnerability could lead to memory corruption, specifically the skbsharedinfo data structure, if multi-buffer is enabled. Such corruption could result in system...

MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack

The Iranian state-sponsored hacking group known as MuddyWater aka Mango Sandstorm, Seedworm, and Static Kitten has been attributed to a ransomware attack in what has been described as a "false flag" operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social...

EUVD-2026-27704

In the Linux kernel, the following vulnerability has been resolved: mfd: core: Add locking around 'mfdofnodelist' Manipulating a list in the kernel isn't safe without some sort of mutual exclusion. Add a mutex any time we access / modify 'mfdofnodelist' to prevent possible crashes...

EUVD-2026-27597

In the Linux kernel, the following vulnerability has been resolved: xsk: tighten UMEM headroom validation to account for tailroom and min frame The current headroom validation in xdpumemreg could leave us with insufficient space dedicated to even receive minimum-sized ethernet frame. Furthermore ...

CVE-2026-43263

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix Null reference while testing fluster When multi instances are created/destroyed, many interrupts happens and structures for decoder are removed. "struct vpuinstance" this structure is shared for all...

CVE-2026-43263 media: chips-media: wave5: Fix Null reference while testing fluster

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix Null reference while testing fluster When multi instances are created/destroyed, many interrupts happens and structures for decoder are removed. "struct vpuinstance" this structure is shared for all...