CVE-2026-52725 Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component...

EUVD-2026-38063

The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers ...

CVE-2026-12238

The WP Go Maps WordPress plugin (up to version 10.1.01) is vulnerable to an authorization bypass that allows unauthenticated attackers to create arbitrary records in plugin tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-bac...

CVE-2026-52909

The CVE-2026-5299x family concerns the Linux kernel IPv6 virtual tunnel interfaces. The issue: in vti6_init_net(), the per-netns fallback tunnel device (ip6_vti0) does not set the netns_immutable flag, allowing the device to be moved between network namespaces. This flag is correctly set by other...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: book3s64/radix: Align the start address of the vmemmap section with PAGESIZE. The vmemmap altmap is a device-provided region used to provide backing storage for struct pages. For each namespace, the altmap should belong to the sa...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: mr: Consolidate the ipmrcanfreetable checks. Guoyu Yin reported a crash in the ipmr netns cleanup path: WARNING: CPU: 2 PID: 14564 at net/ipv4/ipmr.c:440 ipmrfreetable net/ipv4/ipmr.c:440 inline WARNING: CPU: 2 PID: 14564 at...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: net/tipc: fixed the slab-use-after-free issue in tipcaeadencryptdone+0x4bd/0x510 net/tipc/crypto.c:840. Syzbot reported a slab-use-after-free with the following call trace:...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: fanotify: Validate the return value of mntnsfromdentry before dereferencing it. The function dofanotifymark does not validate whether mntnsfromdentry returns NULL before dereferencing mntns-userns. This causes a NULL pointer...

CVE-2026-55225

When the Strimzi cluster operator is deployed with watchAnyNamespace=true or a multi-namespace list, any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace or topicOperator.watchedNamespace to an arbitrary namespace. The cluster operator then creates a Role granting...

Siemens RuggedCom Rox Path Traversal (CVE-2025-6020)

A flaw was found in linux-pam. The module pamnamespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions. This plugin only works with Tenable.ot. Please visit...

kernel: geneve: Fix use-after-free in geneve_find_dev().

A use-after-free vulnerability exists in the Linux kernel. When devnet is dismantled, the geneveexitbatchrtnl function calls unregisternetdevicequeue for each device in the network namespace. Later, when the device is freed, it is still linked to the backend UDP socket in the network namespace...

kernel: geneve: Fix use-after-free in geneve_find_dev().

A use-after-free vulnerability exists in the Linux kernel. When devnet is dismantled, the geneveexitbatchrtnl function calls unregisternetdevicequeue for each device in the network namespace. Later, when the device is freed, it is still linked to the backend UDP socket in the network namespace...

CVE-2026-6933

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the...

EUVD-2026-37033

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the...

MAL-2026-5863 Malicious code in @ts-internal/shared-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171 The package squats the internal-looking scope @ts-internal/shared-lib on the public npm registry and runs a network beacon both during install...

PT-2026-49618

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of namespaced elements and attributes during template compilation and sanitization. An attacker can execute arbitrary JavaScript in the user's browser by injecting specially crafted templat...

Malicious code in field-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0112dc4801bb261e86a2f68d5fd49b6c955bb4e82f872c72e61e49cc638ca91c package.json declares both preinstall and postinstall scripts that run curl against a hardcoded bare-IP HTTP endpoint http://3.7.226.146:9000/callbac...

MAL-2026-5777 Malicious code in field-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0112dc4801bb261e86a2f68d5fd49b6c955bb4e82f872c72e61e49cc638ca91c package.json declares both preinstall and postinstall scripts that run curl against a hardcoded bare-IP HTTP endpoint http://3.7.226.146:9000/callbac...

MAL-2026-5744 Malicious code in loadninja-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46 [email protected] is a dependency-confusion package targeting an internal/private package namespace. package.json declares "postinstall": "node...