USN-8323-1: Postorius vulnerability

It was discovered that Postorius did not properly escape HTML in message subjects when rendering the Held messages pop-up. An attacker could possibly use this issue to inject arbitrary HTML, resulting in exposure of sensitive information...

CVE-2026-7637

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOSTUSERLOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present i...

CVE-2026-7637

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOSTUSERLOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present i...

PT-2026-42100

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST USER LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present...

CVE-2026-3471 Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling window.open'javascript:alert';. Mattermost Advisory ID: MMSA-2026-00...

CVE-2026-3471

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling window.open'javascript:alert';. Mattermost Advisory ID: MMSA-2026-00...

CVE-2026-3471 Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling window.open'javascript:alert';. Mattermost Advisory ID: MMSA-2026-00...

PT-2026-41651

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling window.open'javascript:alert';. Mattermost Advisory ID: MMSA-2026-00...

Malicious code in alicloud-pop-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8996db2a99f506044afe3fa7d1776936c419425988ce0adab16938e0b1c72498 The package alicloud-pop-core was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3779 Malicious code in alicloud-pop-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8996db2a99f506044afe3fa7d1776936c419425988ce0adab16938e0b1c72498 The package alicloud-pop-core was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview alicloud-pop-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

PT-2026-38553

Name of the Vulnerable Software and Affected Versions Postorius versions prior to 1.3.14 Description The software fails to escape HTML in the message subject when rendering it within the Held messages pop-up. This issue was exploited in the wild in May 2026. Recommendations Update to a version...

CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

CVE-2026-43109

A flaw was found in the Linux kernel's x86 shadow stacks implementation. An oversight in the shstkpopsigframe function's error handling for mmapreadlockkillable could lead to unexpected behavior. This vulnerability involves improper error checking during memory management operations...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux, linux-5.15

In the Linux kernel, the following vulnerabilities have been resolved: bpf, sockmap: Several fixes to bpfmsgpopdata Several fixes to bpfmsgpopdata: 1. In skmsgshiftleft, we should use putpage. 2. If len == 0, returning early is better. 3. Popping the entire skmsg last == msg-sg.size should be...

Astra Linux - уязвимость в linux-5.15, linux-5.10, linux

In the Linux kernel, the following vulnerabilities have been resolved: ACPICA: Fixed the error code path in acpidscallcontrolmethod. A use-after-free in acpipsparseaml occurs after a failed invocation of acpidscallcontrolmethod. This issue was reported by KASAN 1. Code inspection reveals that...

JLSEC-2026-233 openssl-src vulnerable to Use-after-free following `BIO_new_NDEF`

The public API function BIOnewNDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the...

nginx 0.5.15 < 1.28.3 / 1.29.x < 1.29.7 NULL Pointer Dereference

The installed version of nginx is 0.5.15 prior to 1.28.3, or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issue : - When the ngxmailauthhttpmodule module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue...