GHSA-XXQH-MFJM-7MV9 Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

NETTY HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization | Field | Value | |-----------|-------| | Library | io.netty:netty-codec-http | | Component | codec-http — HttpObjectDecoder | | Severity | HIGH | | Affects | HEAD, commit 4f3533ae confirmed | --- Summary HttpObjectDecoder strips a...

CVE-2026-43273

A flaw was found in the Linux kernel's Ceph file system module. The cephzeropartialobject function, responsible for handling object write operations, was missing proper snapshot context. This oversight could allow a local attacker to cause data inconsistencies within snapshots, leading to a loss ...

XMLDOM 安全漏洞

XMLDOM is a JavaScript implementation of the W3C DOM for Node developed by jindw. Versions of XMLDOM prior to 0.9.10, 0.8.13, and xmldom 0.6.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of escaping or validation when serializing DocumentType node...

PT-2026-38351

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS. This issue affects WEN Logo Slider: from n/a through 3.4.0...

DivvyDrive 安全漏洞

DivvyDrive is a file storage and sharing management platform developed by DivvyDrive Inc. in Turkey. Versions of DivvyDrive prior to 4.8.3.2 contained security vulnerabilities. These vulnerabilities stemmed from improper control over modifications to object properties and unlimited resource...

PT-2026-38428

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 150.0.2 Firefox ESR versions prior to 140.10.2 Firefox ESR versions prior to 115.35.2 Description A use-after-free issue exists in the DOM: Networking component. Use-after-free is a memory corruption flaw that occurs...

PT-2026-39444

Name of the Vulnerable Software and Affected Versions PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 Description A use-after-free issue exists in the SOAP extension's object deduplication mechanism, specifical...

Linux Distros Unpatched Vulnerability : CVE-2026-7907

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in DOM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page...

PT-2026-38396

Name of the Vulnerable Software and Affected Versions vm2 versions 3.9.6 through 3.10.5 Description The bridge in vm2 exposes mutable proxies for host-realm intrinsic prototypes and forwards sandbox writes into underlying host objects using otherReflectSet and otherReflectDefineProperty. This...

PT-2026-38374

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description In the HttpObjectDecoder component, the software fails to strip the Content-Length header when an HTTP/1.0 request contains both Transfer-Encoding: chunked...

GHSA-9W9C-9W8M-W89Q ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data

Summary GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps belonging to any other namespace...

EUVD-2026-27975

Object lifecycle issue in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-42077

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists...

CVE-2026-7936

Rejected reason: Determined not a vulnerability...

EUVD-2026-27864

A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed...

CVE-2026-7936

CVE-2026-7936 entry is rejected/not used and does not represent an active vulnerability.

CVE-2026-7936

...

CVE-2026-7936

Removed by vendor...

GHSA-QRGM-P9W5-RRFW Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior

We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in...

Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior

We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in...