CVE-2026-29072

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-latest.1, 2026.2.1, an...

EUVD-2026-13192

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 conta...

CVE-2026-27491

Discourse contains a type coercion vulnerability in the post actions API that allowed non-staff, logged-in users to issue warnings to other users. Affected versions are 2026.3.0-latest.1, 2026.2.1, and 2026.1.2; patch versions are also noted. The underlying cause is a type coercion issue in the p...

PT-2026-26379

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2,...

PT-2026-26426

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. The Post Edits admin report, accessible via the...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.15-2026-099 (ALASKERNEL-5.15-2026-099)

The version of kernel installed on the remote host is prior to 5.15.202-141.223. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2026-099 advisory. In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in...

GHSA-958M-GXMC-MCCM free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request

Impact This is an Improper Error Handling vulnerability with Information Exposure implications. - Security Impact: The UDM incorrectly converts a downstream 400 Bad Request from UDR into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks intern...

PT-2026-26207

Name of the Vulnerable Software and Affected Versions: gRPC-Go versions prior to 1.79.3 Description: gRPC-Go is vulnerable to an authorization bypass due to improper input validation of the HTTP/2 :path pseudo-header. The server incorrectly routes requests with missing leading slashes in the :pat...

CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Monday added a medium-severity security flaw impacting Wing FTP to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The vulnerability, CVE-2025-47813 CVSS score: 4.3, is an information...

Photon OS 5.0: Curl PHSA-2026-5.0-0785

An update of the curl package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-5.0-0785. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

CVE-2026-30876

Chamilo LMS before version 1.11.36 is vulnerable to user enumeration via login response (valid vs invalid usernames). The issue has been fixed in 1.11.36. CVSS‑4.0 metrics indicate Network attack vector, Low confidentiality impact, and a Medium overall severity (6.3).

Security update for amazon-ssm-agent (important)

openSUSE security update: security update for amazon-ssm-agent ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20351-1 Rating: important References: bsc1253611 Cross-References: CVE-2025-47913 CVSS scores: CVE-2025-47913 SUSE : 7.5...

EUVD-2026-11705

Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS...

GHSA-69XG-F649-W5G2 Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Impact The OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's...

CVE-2026-2581

This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici versions, when interceptors.deduplicate is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlle...

GHSA-4HJQ-9H5C-252J Traefik: HTTP/2 frames can cause a running server to panic

Summary More Details: - https://nvd.nist.gov/vuln/detail/CVE-2026-27141 - https://pkg.go.dev/golang.org/x/net/http2?tab=versions Patches - https://github.com/traefik/traefik/releases/tag/v3.6.10 - https://github.com/traefik/traefik/releases/tag/v2.11.40 For more information If you have any...

Traefik: HTTP/2 frames can cause a running server to panic

Summary More Details: - https://nvd.nist.gov/vuln/detail/CVE-2026-27141 - https://pkg.go.dev/golang.org/x/net/http2?tab=versions Patches - https://github.com/traefik/traefik/releases/tag/v3.6.10 - https://github.com/traefik/traefik/releases/tag/v2.11.40 For more information If you have any...

CVE-2026-31889 Shopware has a potential take over of app credentials

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based...

400,000 WordPress Sites Affected by Unauthenticated SQL Injection Vulnerability in Ally WordPress Plugin

On February 4th, 2026, we received a submission for an SQL Injection vulnerability in Ally, a WordPress plugin estimated to have more than 400,000 active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes. Props to Drew Webber...

CVE-2026-3680

A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file biome-mcp-server.ts. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been released to t...