EUVD-2026-31157

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/wikiName API executes a XAR import without performing any...

CLEANSTART-2026-TX00223 Security fixes for CVE-2017-14919, CVE-2017-15896, CVE-2018-0734, CVE-2018-0735, CVE-2018-1000168, CVE-2018-12121, CVE-2018-12122, CVE-2018-7160, CVE-2018-7161, CVE-2019-15604, CVE-2019-15605, CVE-2019-15606, CVE-2019-5737, CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518, CVE-2020-11080, CVE-2020-7774, CVE-2020-8172, CVE-2020-8174, CVE-2020-8201, CVE-2020-8252, CVE-2020-8265, CVE-2020-8277, CVE-2020-8287, CVE-2021-21148, CVE-2021-22930, CVE-2021-22931, CVE-2021-22959, CVE-2021-22960, CVE-2021-3672, CVE-2021-43803, CVE-2021-44531, CVE-2021-44532, CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-35255, CVE-2022-35256, CVE-2022-3602, CVE-2022-43548, CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807, CVE-2023-39333, CVE-2023-44487, CVE-2024-22018, CVE-2024-22020, CVE-2024-27982, CVE-2024-27983, CVE-2024-36138, CVE-2024-37372 applied in versions: 10.14.0-r0, 10.15.3-r0, 10.16.3-r0, 12.15.0-r0, 12.18.0-r0, 12.18.4-r0, 14.15.1-r0, 14.15.4-r0, 14.15.5-r0, 14.16.0-r0, 14.16.1-r0, 14.17.4-r0, 14.17.5-r0, 14.17.6-r0, 14.18.1-r0, 16.13.2-r0, 16.17.1-r0, 18.12.1-r0, 18.14.1-r0, 18.17.1-r0, 18.18.2-r0, 20.12.1-r0, 20.15.1-r0, 6.11.1-r0, 6.11.5-r0, 8.11.0-r0, 8.11.3-r0, 8.11.4-r0, 8.9.3-r0

Multiple security vulnerabilities affect the nodejs package. These issues are resolved in later releases. See references for individual vulnerability details...

GHSA-6M6C-36F7-FHXH Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS

Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. Example: gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d mermaid.parse is unaffected,...

CVE-2026-40912

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches...

EUVD-2026-26433

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to ho...

GHSA-2GW9-C2R2-F5QF Neko has a Self-service Privilege Escalation for Authenticated Users

Impact Any authenticated user can immediately obtain full administrative control of the entire Neko instance member management, room settings, broadcast control, session termination, etc.. This results in a complete compromise of the instance. Patches The vulnerability has been patched in the...

CVE-2026-40104

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as...

BIT-DISCOURSE-2026-32618 Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0...

PT-2026-29098

Name of the Vulnerable Software and Affected Versions Symantec Data Loss Prevention Windows Endpoint versions prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15. Description The software may be susceptible to an Elevation of Privilege issue, allowing an attacker to ga...

EUVD-2026-13895

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a...

GHSA-G3HG-J4JV-CWFR Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration

Summary There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking 166ms. When the username does not exist, the response returns immediatel...

CVE-2026-25534

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

CVE-2026-27021

Summary of CVE-2026-27021 (Discourse) : The vulnerability affects the poll voters endpoint, where lack of post visibility checks allowed unauthorized access to voters’ details for polls in any post. Affected versions include 2025.12.2, 2026.1.1, and 2026.2.0. The issue is addressed in these versi...

CVE-2026-25532

ESF-IDF (Espressif IoT Development Framework) WPS Enrollee vulnerability: malformed EAP-WSC packets can trigger an integer underflow during fragment length calculation, when EAP Length omits payload. Affected versions are 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6. The underflow occurs as frag_len bec...

CVE-2025-68934

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause On^2 processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as t...

Important: Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.6 Container Release Update

An update is now available for Red Hat Ansible Automation Platform 2.6 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams,...

PT-2026-5142

Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are...

CVE-2025-3950

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection...

GHSA-VRJC-Q2FH-6X9H Spinnaker vulnerable to SSRF due to improper restrictions on http from user input

Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This ALSO includes calling INTERNAL Spinnaker API's via a get and similar endpoints...

EUVD-2025-202616

Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated...