PT-2026-46970

7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule .scap parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize up to 1 GiB without...

PT-2026-46317

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...

EUVD-2026-32742

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization...

CVE-2026-7509 KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2026-44217

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into t...

BIT-JAVA-MIN-2020-14562

Vulnerability in the Java SE product of Oracle Java SE component: ImageIO. Supported versions that are affected are Java SE: 11.0.7 and 14.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of...

Astra Linux - уязвимость в waitress

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before Waitress has had the opportunity to call getpeername, Waitress will not properly clean up the connection. As a result, the main thread attempts to write to a socket that no long...

CVE-2026-34722

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4...

CVE-2026-34723 Zammad has incorrect access control in getting_started_controller

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed i...

CVE-2026-34248 Zammad has an information disclosure in ticket detail view of customers in shared organizations

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations means they can see each other's tickets could see fields which are not intended for customers - including fields not intended for them at all e.g. priority, custom ticket attribut...

PT-2026-31413

Name of the Vulnerable Software and Affected Versions Zammad versions prior to 7.0.1 Description Zammad is a web based open source helpdesk/customer support system. In shared organizations, customers could view fields not intended for customer access, including fields restricted to internal use...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect through the redirecturi parameter in multiple endpoints ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, VerifyEmailHandler which is not validated against AllowedOrigins. An attacker can obtain...

PT-2026-26287

We're not migrating to Veeam B&R 13.0.1 until the end of the year, as Veeam B&R is supported until 01 Feb 2027, and we're not find of adopting applications before a couple of version releases have been made. We noticed Action1 appears to be incorrectly assigning CVE's affecting Veeam B&R 13.0.1.x...

GHSA-7C47-XR7Q-P6HG free5GC NRF Discovery EncodeGroupId Function Panics on Malformed group-id-list Parameter

Impact This is an Improper Input Validation vulnerability leading to Denial of Service. - Security Impact: A remote attacker can cause the NRF service to panic and crash by sending a crafted HTTP GET request with a malformed group-id-list parameter. This results in complete denial of service for...

ALSA-2026:4455 Important: .NET 8.0 security update

.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.125 and .NET Runtime...

WordPress WP ULike plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attribute vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin WP ULike versions = 5.0.1...

CVE-2025-68554

CVE-2025-68554 affects the Keenarch WordPress theme (versions before 2.0.1). It is an Unrestricted Upload of File with Dangerous Type vulnerability, enabling arbitrary file uploads via Keenarch’s upload handling. Wordfence notes multiple WordPress vulnerability entries and lists Keenarch as patch...

PT-2026-22893

SEPPmail Secure Email Gateway before version 15.0.1 does not properly communicate PGP signature verification results, leaving users unable to detect forged emails...

CVE-2026-27613

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. A vulnerability in versions prior to 2.01 allows unauthenticated remote attackers to bypass the web server's CGI parameter security controls. Depending on the server configuration and the specific CGI executable in use, the impact i...

CVE-2026-2556

A security vulnerability has been detected in cskefu up to 8.0.1. This issue affects some unknown processing of the file com/cskefu/cc/controller/resource/MediaController.java of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack may be...