📄 Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Pachno version 1.0.6 uses the unserialize function on the contents of cache files stored under PACHNOPATH/cache/ during the framework bootstrap sequence, before any authentication, routing, or controller logic is executed. Cache files are created with world-writable permissions chmod 0666 and use...

Generation of Predictable Numbers or Identifiers

Overview DotNetNuke.Core is a references provider to the DotNetNuke.dll to develop extensions for the DNN Platform. Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers in the form of generation of identical HostGUID values during installation. An...

CVE-2026-33710 Chamilo LMS has Weak REST API Key Generation (Predictable)

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5time + userid 5 - rand10000, 10000. The rand10000, 10000 call always returns exactly 10000 min == max, making the formula effectively md5timestamp + userid5 - 10000. An attacker who...

CVE-2026-33710 Chamilo LMS has Weak REST API Key Generation (Predictable)

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5time + userid 5 - rand10000, 10000. The rand10000, 10000 call always returns exactly 10000 min == max, making the formula effectively md5timestamp + userid5 - 10000. An attacker who...

PT-2026-32024

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5time + user id 5 - rand10000, 10000. The rand10000, 10000 call always returns exactly 10000 min == max, making the formula effectively md5timestamp + user id5 - 10000. An attacker wh...

📄 UNI-PASS-Based Customs Systems Insecure Direct Object Reference

A critical security vulnerability has been identified in customs platforms based on UNI-PASS, where a publicly exposed API endpoint allows unauthorized access to sensitive documents without proper authentication or authorization checks. The affected endpoint commonly structured under /api/public/...

SUSE SLES12 Security Update : python-requests (SUSE-SU-2026:1218-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1218-1 advisory. - CVE-2026-25645: extractzippedpaths uses predictable filenames when extracting files from zip archives and reuses target files that already...

Security update for python-requests

This update for python-requests fixes the following issues: CVE-2026-25645: extractzippedpaths uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation bsc1260589. Patch Instructions: To install this SUSE update use the SUSE...

SUSE-SU-2026:1218-1 Security update for python-requests

This update for python-requests fixes the following issues: - CVE-2026-25645: extractzippedpaths uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation bsc1260589...

SUSE-SU-2026:21036-1 Security update for python-requests

This update for python-requests fixes the following issue: - CVE-2026-25645: extractzippedpaths uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation bsc1260589...

SUSE-SU-2026:21063-1 Security update for python-requests

This update for python-requests fixes the following issue: - CVE-2026-25645: extractzippedpaths uses predictable filenames when extracting files from zip archives and reuses target files that already exist without validation bsc1260589...

CVE-2026-5083

Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked fr...

CVE-2026-5083 Ado::Sessions versions through 0.935 for Perl generates insecure session ids

Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked fr...

CVE-2026-5083

CVE-2026-5083 affects the Perl module Ado::Sessions up to version 0.935. The vulnerability stems from generating session IDs with a SHA-1 hash seeded by the built-in rand() function, the epoch time, and the PID. The PID comes from a small set of numbers, and the epoch time may be guessed if not l...

CVE-2025-13044

IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack...

PT-2026-31088

Name of the Vulnerable Software and Affected Versions Ado::Sessions versions through 0.935 Description The Ado::Sessions Perl module generates insecure session IDs. The session ID is created using a SHA-1 hash seeded with the built-in rand function, the epoch time, and the process ID PID. The PID...

CVE-2026-28810

A flaw was found in Erlang/OTP kernel. The built-in DNS resolver inetres uses predictable 16-bit transaction IDs and lacks source port randomization. A remote attacker can exploit this by observing or predicting DNS query IDs, leading to DNS cache poisoning. This allows the attacker to redirect...

UBUNTU-CVE-2026-28810

Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel inetres, inetdb modules allows DNS Cache Poisoning. The built-in DNS resolver inetres uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization...

EUVD-2025-209253

IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack...

CVE-2025-13044

IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack...