Use of a Broken or Risky Cryptographic Algorithm

Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...

Use of a Broken or Risky Cryptographic Algorithm

Overview Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the key generation. An attacker can compromise the confidentiality of generated cryptographic keys by exploiting weak or predictable key material. Remediation A fix was pushed into the...

Use of a Broken or Risky Cryptographic Algorithm

Overview Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the cryptographic algorithm implementation. An attacker can compromise the confidentiality of sensitive information by exploiting weak or insufficient cryptographic algorithms...

CVE-2026-40925 WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

CVE-2026-40925 WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

EUVD-2026-24485

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

CVE-2026-40925

WWBN AVideo contains a CSRF vulnerability in objects/configurationUpdate.json.php (also via /updateConfig) that an authenticated admin can be tricked into triggering via cross-origin POST, allowing rewriting of encoder URL, SMTP credentials, site HTML, and more. Affected: WWBN AVideo up through v...

CVE-2026-40909 WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint locale/save.php constructs a file path by directly concatenating $POST'flag' into the path at line 30 without any sanitization. The $POST'code' parameter is then written verbatim to that path via...

EUVD-2026-24288

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint locale/save.php constructs a file path by directly concatenating $POST'flag' into the path at line 30 without any sanitization. The $POST'code' parameter is then written verbatim to that path via...

CVE-2026-40909 WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint locale/save.php constructs a file path by directly concatenating $POST'flag' into the path at line 30 without any sanitization. The $POST'code' parameter is then written verbatim to that path via...

CVE-2026-40909

WWBN AVideo (pre-29.0) contains a path traversal in locale/save.php that concatenates $_POST['flag'] into the target path and writes $_POST['code'] to that path via fwrite(), allowing an attacker with admin access or CSRF to write arbitrary PHP files outside locale/ and achieve Remote Code Execut...

WebDAV PHP Upload

This module exploits WebDAV which also has PHP enabled, such as found on XAMPP servers. It can use do by using any supplied credentials to upload via WebDAV, a PHP payload and then execute it. Module Options msf use exploit/multi/http/webdavuploadphp msf exploitwebdavuploadphp show targets...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules.

Summary IBM App Connect Enterprise runtime, IBM App Connect Enterprise Connector Discovery and OpenAPI Editor and IBM App Connect Enterprise Discovery Connectors are vulnerable to multiple vulnerabilities due to multiple node modules. Vulnerability Details CVEID:CVE-2026-33036 DESCRIPTION:...

Security Bulletin: A Security Vulnerability Has Been Identified In WebSphere Liberty shipped with IBM Copy Services manager (CVE-2025-7962)

Summary WebSphere Application Server Liberty is shipped with IBM Copy Services Manager. Information about a security vulnerability affecting WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details CVEID:CVE-2025-7962 DESCRIPTION: In Jakarta Mail 2.0.2...

GHSA-7GCJ-PHFF-2884 Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths

Summary The SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service ReDoS attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's...

Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths

Summary The SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service ReDoS attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's...

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the path-to-regexp package

Summary Due to use of the path-to-regexp package, DevOps Test Performance and Rational Performance Tester contain a potential Regular Expression Denial of Service ReDoS vulnerability. Vulnerability Details CVEID:CVE-2026-4867 DESCRIPTION: Impact: A bad regular expression is generated any time you...

Important: Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.9.2 release

Red Hat build of OpenTelemetry 3.9.2 has been released This release of the Red Hat build of OpenTelemetry provides security improvements. Breaking changes: None Deprecations: None Technology Preview features: None Enhancements: None Bug fixes: XPath library vulnerability is fixed: Previously, the...

Glances has SSRF in IP Plugin via public_api leading to credential leakage

Summary A Server-Side Request Forgery SSRF vulnerability exists in the Glances IP plugin due to improper validation of the publicapi configuration parameter. The value of publicapi is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who...

GHSA-G5PQ-48MJ-JVW8 Glances has SSRF in IP Plugin via public_api leading to credential leakage

Summary A Server-Side Request Forgery SSRF vulnerability exists in the Glances IP plugin due to improper validation of the publicapi configuration parameter. The value of publicapi is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who...