Astra Linux - уязвимость в apache2

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some uses of the legacy content-type-based configuration of handlers. Configurations like “AddType” and similar ones, under certain circumstances where files are requested indirectly, can lead to exposure of local...

CVE-2026-42006

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass t...

Astra Linux - уязвимость в thrift

In Apache Thrift, all versions up to and including 0.12.0, a server or client may encounter an infinite loop when processing specific input data. Since this issue was partially addressed in version 0.11.0, it only affects certain language bindings, depending on the installed version...

CVE-2026-6608

The CVE-2026-6608 issue affects lm-sys fastchat prior to 0.2.36, specifically the Arena Side-by-Side View Handler’s add_text function. The vulnerability enables an attacker to manipulate control flow and can be exploited remotely; public exploit details exist. The root cause was addressed in comm...

CVE-2026-40489

editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ecglob that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directo...

PT-2026-33550

Name of the Vulnerable Software and Affected Versions compressing versions prior to 1.10.5 compressing versions prior to 2.1.1 Description A patch bypass exists in the isPathWithinParent function located in lib/utils.js. The issue stems from a divergence between logical string validation and the...

CVE-2026-3243

The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the createcrop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, t...

EUVD-2026-20451

The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the createcrop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, t...

CVE-2025-14795

The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ssaddtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to...

EUVD-2025-206505

The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'contentprotector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and...

PT-2026-5120

The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and...

PT-2026-4355

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs user documentation handling capabilities' function in all versions up to, and including,...

CVE-2025-40316

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind but failed to remove a partial fix which had been added by commit...

CVE-2025-40316

CVE-2025-40316 concerns a Linux kernel drm/mediatek issue where a reference imbalance can cause a use-after-free on device bind/unbind. The initial description notes a fix that reverts a partial earlier patch and ensures references are dropped after retrieving driver data, preventing reference le...

Exploit for Improper Restriction of XML External Entity Reference in Apache Tika

Apache Tika XXE Vulnerability Tester CVE-2025-54988 A compr...

CVE-2025-7400

CVE-2025-7400 – Featured Image from URL (FIFU) for WordPress is a Stored Cross-Site Scripting flaw in all versions up to 5.2.7, exploitable by an authenticated attacker with Contributor-level access or higher via the post’s Featured Image custom fields. Root cause: insufficient input sanitization...

EUVD-2024-27457

Malicious code in bioql PyPI...

CLSA-2025-1757947030 nettle: Fix of CVE-2018-16869

Port side-channel silent functions from 3.4.1. Partially fix for CVE-2018-16869 - CVE-2018-16869: Add side-channel silent memory, math, PKCS1, RSA functions - Added tests for side-channel silent implementations...

Linux Distros Unpatched Vulnerability : CVE-2024-29415

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1...

BIT-LIBPHP-2024-2756 __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a Host- or Secure- cookie by PHP applications...