ROOT-OS-DEBIAN-11-CVE-2024-42230 CVE-2024-42230 in rootio-linux - Patched by Root

Root has patched CVE-2024-42230 in the rootio-linux package for Root:Debian:11. Multiple fixed versions available...

SiYuan Note - Cross-Site Scripting

Unauthenticated reflected cross-site scripting XSS vulnerability in all versions of SiYuan Note containing /api/icon/getDynamicIcon with unsafe type=8 rendering logic. Attacker-controlled content is inserted directly into SVG output without proper sanitization. An attacker can execute arbitrary...

SiYuan Note - Cross-Site Scripting

SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting XSS in the /api/icon/getDynamicIcon endpoint due to improper filtering of SVG elements with a namespace prefix such as . By using a namespaced script element, attackers can bypass the SanitizeSVG...

CVE-2026-54022

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, the ydoc:document:join Socket.IO handler checks note ownership only when the documentid starts with note: colon. However, the YdocManager storage layer normalizes all document IDs b...

MINI-M8HR-FP8X-9F4F

Bulletin has no description...

Astra Linux – Vulnerabilities in Linux-6.1, Linux-5.15, Linux-5.10

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: Un-sharing of page tables occurs during VMA splitting, not before. Currently, splitvma triggers the un-sharing of hugetlb page tables through vmops-maysplit. This occurs before the VMA lock and rmap locks are taken –...

EUVD-2026-37752

undici WebSocket client vulnerable to denial of service via cumulative fragment bypass...

CVE-2026-10023

Dok an: AI Powered WooCommerce Marketplace Solution

Ruby net-imap < 0.5.15 / 0.6.x < 0.6.4.1 Multiple Vulnerabilities

The version of the net-imap Ruby library installed on the remote host is prior to 0.5.15, or 0.6.x prior to 0.6.4.1. It is, therefore, affected by multiple vulnerabilities. - Several Net::IMAP commands accept a raw data argument that is sent verbatim after validation to prevent command injection...

Open WebUI: Any authenticated user can read other users' private notes via Socket.IO

Summary The ydoc:document:join Socket.IO handler checks note ownership only when the documentid starts with note: colon. However, the YdocManager storage layer normalizes all document IDs by replacing colons with underscores documentid.replace":", "". An attacker can join a document room using no...

MINI-5G6W-2MHP-9PW6

Bulletin has no description...

CVE-2026-55748

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability...

SiYuan Note <= 3.6.5 - Authentication Bypass

SiYuan Note 3.6.5 and prior is vulnerable to authentication bypass. The CheckAuth middleware unconditionally trusted all chrome-extension:// origins, granting RoleAdministrator access without token validation to any request with a spoofed Origin header. Fixed in v3.7.0. id: CVE-2026-54069 info:...

CGA-975R-FF3V-VCPP

Bulletin has no description...

PT-2026-50413

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description The kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without authentication. When combined with the...

PT-2026-50593

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.11 Description An authorization bypass exists in the ydoc:document:join Socket.IO handler. The handler only performs ownership checks when the document id variable starts with the prefix note: colon. However, t...

Linux Distros Unpatched Vulnerability : CVE-2026-12308

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. CVE-2026-12308...

CVE-2026-46944

Technical details (affected product, vulnerable component, impact, remediation) are not publicly available in the provided documents. Monitor for updates from Oracle and CVE feeds.

CVE-2026-46940

...

CVE-2026-46897

...