CVE-2026-1845

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

uutils coreutils 安全漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils. There is a security vulnerability in uutils coreutils. This vulnerability stems from the mkdir utility incorrectly applying permissions when using the -m flag. It first uses umask to derive directory permissions a...

uutils coreutils 安全漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils. There is a security vulnerability in uutils coreutils, which stems from the lack of explicit permission restrictions when nohup is used to create the default output file. This vulnerability could allow any user in...

Nimiq 输入验证错误漏洞

Nimiq is an open-source implementation of the Albatross protocol in Rust. Prior to Nimiq 1.3.0, there was a vulnerability related to input validation. This vulnerability stemmed from the use of BitSet.len in SkipBlockProof::verify, which calculates the for slot checks. This process involves...

OpenRemote 访问控制错误漏洞

OpenRemote is an open-source IoT platform developed by OpenRemote. Versions of OpenRemote prior to 1.22.1 contained a access control vulnerability. This vulnerability stemmed from the possibility for users with the write:admin permission to call the Manager API and update user Keycloak domain rol...

PT-2026-34334

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An insecure direct object reference allows unauthorized users to access and manipulate sensitive data across different tenants. This can result in unauthorized...

PT-2026-34503

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file 0644. In multi-user environments, this allows any user on the...

PT-2026-34489

The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions typically 0755 before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces ...

Synthesizing Multi-Agent Harnesses for Vulnerability Discovery

LLM agents have begun to find real security vulnerabilities that human auditors and automated fuzzers missed for decades, in source-available targets where the analyst can build and instrument the code. In practice the work is split among several agents, wired together by a harness: the program...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013449)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013449 advisory. In the Linux kernel, the following vulnerability has been resolved: dm rq: don't queue request to blk-mq during DM suspend DM uses blk-mq's quiesce/unquiesce to...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013769)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013769 advisory. In the Linux kernel, the following vulnerability has been resolved: xfrm: Reinject transport-mode packets through workqueue The following warning is displayed when t...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013614)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013614 advisory. In the Linux kernel, the following vulnerability has been resolved: apparmor: fix a memleak in multitransactionnew In multitransactionnew, the variable t is not free...

CVE-2026-40944

Summary: CVE-2026-40944 affects Oxia, a metadata store and coordination system. Before 0.16.2, the TLS trustedCertPool() configuration only loads the first PEM block from CA bundles; when multiple certificates (e.g., intermediate + root) are present, the chain is not fully validated for mTLS. Thi...

CVE-2026-40944 Oxia: TLS CA certificate chain validation fails with multi-certificate PEM bundles

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates e.g., intermediate + root CA, only the first certificate is loaded...

K000160935: Curl vulnerability CVE-2025-14017

Security Advisory Description When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific...

EUVD-2026-24037

OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation...

OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation

Impact OpenBao's namespaces provide multi-tenant separation. A tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. Patches This was addressed in v2.5.3...

CVE-2026-40574 OAuth2 Proxy has an Authorization Bypass in Email Domain Validation via Malformed Multi-@ Email Claims

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the emaildomain enforcement option. An attacker may be able to authenticate with an email claim such as [email protected]@company.com and...

CVE-2026-40264

A flaw was found in OpenBao. OpenBao's multi-tenant separation feature allows a privileged administrator in one tenant to revoke or renew a token belonging to another tenant if that token's accessors are leaked. This unauthorized token management could lead to a denial of service for the affected...

SUSE CVE-2026-40264

OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...