Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-tornado (UTSA-2026-021475)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021475 advisory. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers wher...

PT-2026-32699

Name of the Vulnerable Software and Affected Versions InDesign Desktop versions 20.5.2 and 21.2 and earlier Description A Use After Free issue exists where the software continues to use a pointer after it has been freed. This could result in arbitrary code execution in the context of the current...

CVE-2026-39619

Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through = 2.5.2...

EUVD-2026-20261

Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through = 2.5.2...

CVE-2026-39619

Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through = 2.5.2...

PT-2026-31184

CVE-2026-39619 Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a t… https://t.co/PP035okJ62...

GHSA-CPJ3-3R2F-XJ59 OpenBao has Reflected XSS in its OIDC authentication error message

Impact OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a...

Lychee 代码问题漏洞

Lychee is a beautiful and easy-to-use photo management system developed by The Lychee Organisation. It is used for managing and sharing photos. Versions of Lychee prior to 7.5.2 had code vulnerabilities that could be exploited through DNS redirection bypasses, allowing for server-side request...

CVE-2026-32610

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddlewa...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-tornado (UTSA-2026-005911)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005911 advisory. Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header...

CVE-2024-51915

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through = 6.5.2...

CVE-2026-25487

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

PT-2026-6294

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting XSS issue. The issue resides in the Shipping...

CVE-2008-6047

Cross-site scripting XSS vulnerability in ADbNewsSender before 1.5.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to 1 subscribing and 2 unsubscribing...

CVE-2023-51513 WordPress Geo Controller plugin <= 8.5.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2...

CVE-2025-68617

FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed...

CVE-2025-67725

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...

CVE-2025-67726

Tornado (Python) vulnerability CVE-2025-67726 affects versions 6.5.2 and earlier, due to an inefficient _parseparam-based parsing of HTTP header parameters (e.g., Content-Disposition). The implementation repeatedly calls string.count() inside a nested loop while handling quoted semicolons, causin...

WordPress Bold Page Builder plugin <= 5.5.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Poystick in WordPress Plugin Bold Page Builder versions = 5.5.2...

PT-2025-47807

Name of the Vulnerable Software and Affected Versions ESF-IDF versions 5.3.4 through 5.5.1 Description ESF-IDF, the Espressif Internet of Things IOT Development Framework, contains a flaw in its hardware JPEG decoder when used with the ESP32-P4. The software parser does not perform adequate...