RLSA-2026:16692 Important: jq security update

jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fixes: jq: out-of-bounds read in...

firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Spoofing issue in the DOM: Core & HTML component...

firefox: thunderbird: Incorrect boundary conditions in the DOM: Device Interfaces component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Incorrect boundary conditions in the DOM: Device Interfaces component...

firefox: thunderbird: Use-after-free in the DOM: Core & HTML component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the DOM: Core & HTML component...

CVE-2026-6206

The MW WP Form plugin for WordPress (versions

CVE-2026-5395 Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This mak...

CVE-2026-5395

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This mak...

EUVD-2026-30250

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This mak...

CVE-2026-5395

The Fluent Forms plugin for WordPress (Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder) is affected by CVE-2026-5395, with vulnerable versions all the way through 6.2.0. The root cause is an Insecure Direct Object Reference in the exportEntries function caus...

CVE-2026-42778

A flaw was found in Apache MINA. An incomplete fix for a deserialization issue in the AbstractIoBuffer.getObject method allowed a static initializer in a class to be executed before the classname allowlist was applied. This vulnerability allows a remote attacker to execute arbitrary code in...

CVE-2025-14870

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation...

Fedora 42 : php (2026-3a58db70ca)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-3a58db70ca advisory. PHP version 8.4.21 07 May 2026 Core: Fixed bug GH-19983 GC assertion failure with fibers, generators and destructors. iliaal Fixed bug GH-21478...

PT-2026-41074

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.168 Description Object corruption in Compositing allows a remote attacker who has compromised the renderer process to leak cross-origin data through a crafted HTML page. Recommendations Update to...

PT-2026-41213

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the DatasetRow create and update processes. The application uses Object.assign to copy the request body into the DatasetRow entity without an explicit field allowlis...

PT-2026-40913

Unsafe object reference IDOR in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee first names, last...

PT-2026-41111

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.168 Description An object lifecycle issue in Dawn allows a remote attacker to obtain potentially sensitive information from process memory by using a crafted HTML page. Recommendations Update to versi...

PT-2026-41214

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the evaluation create and update processes. The server uses Object.assign to copy the request body into the Evaluation entity without an explicit field allowlist,...

RockyLinux 10 : jq (RLSA-2026:16692)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:16692 advisory. jq: out-of-bounds read in jvparsesized on error formatting for non-NUL-terminated buffers CVE-2026-39979 jq: jq: Denial of Service via crafted JSON...

PT-2026-40887

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This mak...

PT-2026-41119

Name of the Vulnerable Software and Affected Versions OneDev versions prior to 15.0.2 Description OneDev is a Git server featuring CI/CD, kanban, and packages. A flaw exists where the boundary between repository-controlled LFS Large File Storage metadata and server-local filesystem paths is...