PT-2026-39031

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A use-after-free race condition exists in the drm/amdgpu component during VM acquire. This occurs when parent and child processes sharing a drm file both attempt to acquire the same VM...

PT-2026-39067

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the libceph component where out-of-bounds reads can occur within the process message header function. This happens if a message frame is corrupted, causing the control...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the lack of checking whether the target buffer list is of the traditional type during recycling,...

CVE-2024-33724

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting XSS via the groupeid parameter to process/groupesave.php...

PT-2026-38648

Name of the Vulnerable Software and Affected Versions electerm versions 3.x and earlier Description The getConstants IPC handler in src/app/lib/ipc-sync.js serializes the entire process.env object and sends it to the renderer, where it is stored as window.pre.env. This data is accessible to any...

PT-2026-38646

Name of the Vulnerable Software and Affected Versions electerm versions prior to 3.7.16 Description The runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user-supplied widget identifiers without sanitization. Since runWidget is exposed to the...

SOPlanning 跨站脚本漏洞

SOPlanning is a set of online project management software developed by SOPlanning Company. Version 1.52.00 of SOPlanning contains a cross-site scripting vulnerability, which stems from the groupeid parameter in the process/groupesave.php file, which exposes a cross-site scripting attack...

PT-2026-38874

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash...

Linux Distros Unpatched Vulnerability : CVE-2026-43406

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libceph: prevent potential out-of-bounds reads in processmessageheader If the message frame is maliciously corrupted in a way that the length of the control...

CVE-2024-33724

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting XSS via the groupeid parameter to process/groupesave.php...

CVE-2026-34354

Akamai Guardicore Platform Agent GPA and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the...

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution

Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path...

GHSA-G49P-4QXJ-88V3 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution

Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path...

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via the Installer process. An attacker can access sensitive server configuration, environment variables, filesystem paths, and loaded PHP extensions by sending an unauthenticated GET request with the phpinfo parameter...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the Plugins::add process. An attacker can execute arbitrary code, overwrite sensitive files, and gain full control of the server by uploading a specially crafted ZIP archive containing file paths with directory...

CVE-2026-26956

A flaw was found in vm2, an open-source sandbox for Node.js. An attacker can exploit this vulnerability by running malicious code within the VM.run function, allowing them to escape the sandbox and gain access to the host process. This can lead to arbitrary code execution on the host system,...

golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS

A flaw in golang.org/x/crypto/ssh/agent causes the SSH agent client to panic when a peer responds with the generic SSHAGENTSUCCESS 0x06 message to requests expecting typed replies e.g., List, Sign. The unmarshal layer produces an unexpected message type, which the client code does not handle,...

Security update for webkit2gtk3

This update for webkit2gtk3 fixes the following issues: Update to version 2.52.1. Security issues fixed: CVE-2026-20643: processing maliciously crafted web content may bypass Same Origin Policy bsc1261172. CVE-2026-20664: processing maliciously crafted web content may lead to an unexpected proces...

throttlestop-poc

throttlestop-poc This is a simple Proof-of-Concept that abuses...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...