TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal

TRUfusion Enterprise versions 7.10.4.0 and earlier contained a vulnerability that allowed unauthenticated access to the Internal Admin Contact Page, resulting in the disclosure of PII including partner and contact names. id: CVE-2025-27225 info: name: TRUfusion Enterprise = 7.10.4.0 - Admin Conta...

Sophos UTM Preauth - Remote Code Execution

Sophos SG UTMA WebAdmin is susceptible to a remote code execution vulnerability in versions before v9.705 MR5, v9.607 MR7, and v9.511 MR11. id: CVE-2020-25223 info: name: Sophos UTM Preauth - Remote Code Execution author: gy741 severity: critical description: Sophos SG UTMA WebAdmin is susceptibl...

openSUSE 16 Security Update : roundcubemail (openSUSE-SU-2026:20852-1)

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20852-1 advisory. Changes in roundcubemail: - update to 1.6.16 - Fix potential too long value in IMAP ID command 10136 - Security: Fix stored XSS/HTML/CSS injecti...

Linux Distros Unpatched Vulnerability : CVE-2026-48842

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuserquery plugin via a pregreplace backslash escape...

CVE-2026-48847

Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass...

Astra Linux - уязвимость в linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: ksmbd: The “binding mark” of a reused connection was unset. Steve French reported a null pointer dereference error from the sha256 lib.cifs.ko library. The cifs.ko library can send session setup requests on reused connections. If...

Astra Linux - уязвимость в linux-6.1, linux-5.15

In the Linux kernel, the following vulnerabilities have been resolved: ksmbd: The issue related to “slab-use-after-free” in smb3preauthhashrsp has been fixed. The function ksmbdusersessionput should be called within smb3preauthhashrsp. This will prevent the session from being freed before calling...

Astra Linux - уязвимость в krb5

In kdc/kdcpreauthec.c of the Key Distribution Center KDC in MIT Kerberos 5 also known as krb5, before versions 1.18.4 and 1.19.x, and before version 1.19.2, remote attackers could exploit a vulnerability that led to a NULL pointer dereferencing and a crash of the daemon. This occurs because the...

GHSA-3V9W-6365-9W54 Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

Summary In a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that: - Sends an HTTP POST to the supplied URL with attacker-controlle...

Unity Linux 20.1060e / 20.1070e Security Update: mutt (UTSA-2026-017546)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017546 advisory. Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. Tenable has extracted the preceding description block directly from t...

Astra Linux - уязвимость в linux-5.10, linux-5.15

In the Linux kernel, the following vulnerabilities have been resolved: ksmbd: Avoid out-of-bounds access in decodepreauthctxt. Ensure that the address of pnegctxt-HashAlgorithms lies within the SMB request boundary. deassemblenegcontexts only checks that the eight-byte smb2negcontext header plus...

Exploit for Integer Overflow or Wraparound in Zeromq Libzmq

CVE-2019-6250 — libzmq pre-auth RCE lab !CVEhttps://img.s...

CVE-2026-39858 Traefik: Forwarded alias spoofing top pre-auth decision bypass

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only...

PT-2026-35367

Date: April 27, 2026 Status: ACTIVE EXPLOITATION / PERIMETER & INTERNAL RISK Target: Microsoft Windows RPC Runtime All Versions: Windows 10, 11, Server 2016-2025 Severity: 9.8 MAXIMUM CRITICAL Unauthenticated Remote Code Execution / LPE...

CVE-2026-41343

OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade...

Security update for roundcubemail (important)

openSUSE Security Update: Security update for roundcubemail Announcement ID: openSUSE-SU-2026:0141-1 Rating: important References: 1261157 1261488 Cross-References: CVE-2026-35537 Affected Products: openSUSE Backports SLE-15-SP7 An update that solves one vulnerability and has one errata is now...

CVE-2026-3505

CVE-2026-3505 describes an Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle BC-JAVA bcpg modules. The issue affects the BC-JAVA package (all pg modules) and is tied to specific code paths including AEADEncDataPacket.java, BcAEADUtil.java, JceAEADUtil.java, and Operat...

CVE-2026-3505

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all pg modules. This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java,...

CVE-2026-39337

ChurchCRM CVE-2026-39337 describes a pre-authentication remote code execution in the setup wizard (before/around initial installation) that allows unauthenticated code injection due to unsanitized $dbPassword. This is a remediation of an incomplete fix for CVE-2025-62521 and is fixed in version 7...

OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM

Summary OpenIdentityPlatform OpenAM 16.0.5 and likely earlier versions is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the...