Premium Addons for Elementor - Unauthenticated Information Disclosure

Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the gettemplatecontent AJAX handler, allowing unauthenticated attackers to retrieve private...

EUVD-2026-39188

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or...

CVE-2026-53193

An ALSA timer vulnerability in the Linux kernel: when snd_timer is freed with pending snd_timer_instance objects, slave instances may still point to the freed timer, risking a user-after-free. The fix forces snd_timer_close_locked for each pending timer instance and adds a SNDRV_TIMER_IFLG_DEAD c...

CVE-2026-53165

In the Linux kernel iomap path, CVE-2026-53165 describes a race where, during buffered read errors, folio->mapping can be set to NULL before fserror_report_io() runs, leading to a potential NULL dereference. The root cause is that error reporting occurs after decrementation of read_bytes_pendi...

EUVD-2026-39256

In the Linux kernel, the following vulnerability has been resolved: iomap: avoid potential null folio-mapping deref during error reporting When a buffered read fails, iomapfinishfolioread reports the error with fserrorreportiofolio-mapping-host, .... This is called after ifs-readbytespending has...

CVE-2026-9702

The CVE concerns the InPost PL WordPress plugin (before 1.9.1) failing to verify that a request to update the WooCommerce order parcel-locker destination originates from the legitimate buyer. This allows unauthenticated attackers to silently redirect the shipping destination of any pending or pro...

CVE-2026-9702 InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel-Locker Hijacking

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or...

EUVD-2026-38975

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: don't kill URBs in interrupt context Serialization for the TX path was enforced by calling usbkillurb/usbkillanchoredurbs, to prevent transmission before a previous URB was completed. usbtxblock can be called from...

CVE-2026-6673

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

CVE-2026-6673 Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

EUVD-2026-38249

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

CVE-2026-6673

Mattermost Jira plugin (CVE-2026-6673) authenticates poorly during Atlassian Connect install. Affected Mattermost versions (11.7.x &lt;= 11.7.0, 11.6.x &lt;= 11.6.2, 11.5.x &lt;= 11.5.5, 10.11.x

PT-2026-51316

Name of the Vulnerable Software and Affected Versions Mattermost version 11.7.0 Mattermost version 11.6.2 Mattermost version 11.5.5 Mattermost version 10.11.17 Description Remote unauthenticated attackers can inject a rogue sharedSecret and disrupt the Jira integration. This occurs during the...

CVE-2026-56253

Capgo before 12.128.2 contains an improper access control vulnerability in the public.getorgmembers RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sbpublishable key and an organization UUID to retrieve...

PT-2026-51223

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Improper access control in the public.get org members RPC function allows unauthenticated attackers to enumerate organization members. By using a public sb publishable key and an organization UUID,...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: In the md subsystem, there was a issue where the “activeio” value was not properly released after the submitflushes function was called. This caused the “activeio” value to remain unreleased, leading to a situation where...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Canceling pending work when closing a MIDI substream When closing a USB MIDI output substream, there may still be pending work. This work would eventually access the rawmidi runtime object that is being released...

Astra Linux – Vulnerability in Linux, Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca – A memory leak was fixed in the device probe, and the phy-pendingskb variable was properly freed after allocation. However, it was forgotten to be freed during the error handling and removal processes, resulting in...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: gve: Added a missing NULL check for gveallocpendingpacket in TX DQO. gveallocpendingpacket may return NULL, but gvetxaddskbdqo did not check for this case before dereferencing the returned pointer. A missing NULL check was add...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrumacltcam: A memory leak has been fixed when canceling the rehash operation. The rehash operation is rescheduled with a delay if the number of credits at the end of the operation is not negative—this indicates that t...