CVE-2026-2879 GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the id parameter in the create method of the GetGenieChat REST API endpoint. The method accepts a user-controlled post ID and, when...

CVE-2026-2879

The CVE-2026-2879 entry concerns GetGenie (WordPress) plugin

WordPress GetGenie plugin <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Post Overwrite/Deletion vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin GetGenie versions = 4.3.2...

WordPress plugin GetGenie 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Linux Distros Unpatched Vulnerability : CVE-2026-32116

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file...

SUSE SLES15 Security Update : busybox (SUSE-SU-2026:0872-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0872-1 advisory. - CVE-2023-42363: use-after-free vulnerability in xasprintf function in xfuncsprintf.c bsc1217580. - CVE-2023-42364: use-after-free...

GO-2026-4668 zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required) in zotregistry.dev/zot

zot’s create-only policy allows overwrite attempts of existing latest tag update permission not required in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

UBUNTU-CVE-2026-32116

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file wormhole receive from a malicious party could result in overwriting critical local files, including /.ssh/authorizedkeys and .bashrc. This cou...

CVE-2026-32116 Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file wormhole receive from a malicious party could result in overwriting critical local files, including /.ssh/authorizedkeys and .bashrc. This cou...

CVE-2026-32116 Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file wormhole receive from a malicious party could result in overwriting critical local files, including /.ssh/authorizedkeys and .bashrc. This cou...

CVE-2026-32116 Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file wormhole receive from a malicious party could result in overwriting critical local files, including /.ssh/authorizedkeys and .bashrc. This cou...

CVE-2026-32116

Vulnerability: Magic Wormhole (wormhole receive) could overwrite critical local files on the recipient when receiving a file, affecting versions 0.21.0 through before 0.23.0. Root cause: receiving a file could overwrite targets like ~/.ssh/authorized_keys and .bashrc due to the transfer handling....

PT-2026-25032

Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file wormhole receive from a malicious party could result in overwriting critical local files, including /.ssh/authorized keys and .bashrc. This...

CVE-2026-31853 ImageMagick has a heap buffer over-write on 32-bit systems in SFW decoder

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41...

SUSE-SU-2026:0872-1 Security update for busybox

This update for busybox fixes the following issues: - CVE-2023-42363: use-after-free vulnerability in xasprintf function in xfuncsprintf.c bsc1217580. - CVE-2023-42364: use-after-free in the awk.c evaluate function bsc1217584. - CVE-2023-42365: use-after-free in the awk.c copyvar function...

SUSE CVE-2026-31801

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot's dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the t...

CVE-2026-30920

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the...

Symlink Attack

Overview org.webjars.npm:tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Symlink Attack via tar.x extraction, which allows an attacker to overwrite arbitrary files outside the intended extraction directory with a drive-relative symlink target - like...

Symlink Attack

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Symlink Attack via tar.x extraction, which allows an attacker to overwrite arbitrary files outside the intended extraction directory with a drive-relative symlink target - like...

GHSA-9PPJ-QMQM-Q256 node-tar Symlink Path Traversal via Drive-Relative Linkpath

Summary tar npm can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x extraction. Details The extraction logic in...