Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple issues

Summary Multiple vulnerabilities affect IBM Sterling Secure Proxy and are addressed in the latest release and fixpack Vulnerability Details CVEID:CVE-2026-25639 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig...

Security Bulletin: Security Vulnerabilities were found in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory (CVE-2025-53066, CVE-2025-53057)

Summary Security Vulnerabilities were addressed in IBM Semeru Runtime Certified Edition provided with IBM Security Verify Directory Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote attacker to cause...

Security Bulletin: Vulnerability in libssh library (CVE-2025-5372) affects Power HMC.

Summary The libssh library is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-5372 DESCRIPTION: A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the sshkdf function responsible...

PT-2026-30713

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize settings nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

fast-jwt 加密问题漏洞

fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt up to 6.1.0 contained a vulnerability related to encryption. This vulnerability stemmed from the ^ anchor character in the publicKeyPemMatcher regular expression, which could be bypassed by leading spaces i...

PT-2026-30730

A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation leads to risky cryptographic algorithm. The attack may be performed from remote. The attack requires ...

📄 ASP.net 8.0.10 HTTP Request Smuggling / Authentication Bypass

ASP.net version 8.0.10 suffers from HTTP request smuggling, bypass, and server-side request forgery vulnerabilities. Exploit Title: ASP.net 8.0.10 - Bypass Date: 2025-11-03 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer CV...

Fedora: Security Advisory (FEDORA-2026-f47b1861e4)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

ASP.net 8.0.10 - Bypass

Exploit Title: ASP.net 8.0.10 - Bypass Date: 2025-11-03 Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamersecurity GitHub: https://github.com/mbanyamer CVE: CVE-2025-55315 Tested on: .NET Kestrel unpatched - ASP.NET Core on localhost lab environment Platform: remote Type...

Fortinet FortiWeb v8.0.1 - Auth Bypass

Titles:Fortinet FortiWeb v8.0.1 - Auth Bypass Author: nu11secur1ty Date: 11/15/2025 Vendor: https://www.fortinet.com/ Software: v8.0.1 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64446 Description: CVE-2025-64446 is a critical path traversal vulnerability affecting multiple versions of...

Go JOSE 安全漏洞

Go JOSE is an implementation of the JOSE standard in Go, open sourced under the Go JOSE project. Versions prior to Go JOSE 4.1.4 and 3.0.5 contained security vulnerabilities. These vulnerabilities occurred when decrypting JSON Web Encryption objects. If the alg field indicated the key wrapping...

GuvenliWebYazilimiGelistirme-CipherNone-

🛡️ CipherNone: JWT "alg: none" Vulnerability & Hardening Lab...

curl: Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl

detail: - lib/setopt.c:1048-1051 - CURLOPTSOCKS5AUTH is stored into data-set.socks5auth - lib/socks.c:597-641 socks5req0init - fresh SOCKS5 handshake reads data-set.socks5auth, if BASIC is not allowed, it clears sx-proxyuser at 618-620, so username/password auth is not even offered -...

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package...

Linux Distros Unpatched Vulnerability : CVE-2026-23474

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - mtd: Avoid boot crash in RedBoot partition table parser Given CONFIGFORTIFYSOURCE=y and a recent compiler, commit 439a1bcac648 fortify: Use...

Linux Distros Unpatched Vulnerability : CVE-2026-23469

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - drm/imagination: Synchronize interrupts before suspending the GPU The runtime PM suspend callback doesn't know whether the IRQ handler is in progress on a...

Exploit for CVE-2026-35570

Breaking Out of the Sandbox: How I Found a Critical Path Trave...

Exploit for Deserialization of Untrusted Data in Linuxfoundation Opentelemetry_Instrumentation_For_Java

CVE-2026-33701 — Unsafe Deserialization in OpenTelemetry Java...

OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

...

LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...