CVE-2019-25367 ArangoDB Community Edition 3.4.2-1 XSS via aardvark admin interface

ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface index.html through search, user management, and API parameters. Attackers can inject scripts via parameters in /db/system/admin/aardvark/index.html to execute JavaScript i...

PT-2026-7993

Name of the Vulnerable Software and Affected Versions HPESBNW05002 rev.1 Description An authentication bypass in the application API allows the creation of an unauthorized administrative account. A remote attacker could exploit this to create privileged user accounts, potentially gaining...

SUSE-SU-2026:0483-1 Security update for zabbix

This update for zabbix fixes the following issues: - CVE-2024-36469: Introduced clamping for mitigation of timing attacks. bsc1240676 - CVE-2024-42325: Restricted access to user fields using user.get API method for users of User and Admin type, and restricted access to alert entities using...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /api/users endpoint. An attacker can access sensitive information by sending a specially crafted request. Remediation There is no fixed version for...

UBUNTU-CVE-2025-14594

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API...

[SECURITY] Fedora 42 Update: rust-scx_rustland-0.0.3-7.fc42

A BPF component dispatcher that implements the low level sched-ext functionalities and a user-space counterpart scheduler, written in Rust, that implements the actual scheduling policy. This is used within schedext, which is a Linux kernel feature which enables implementing kernel thread schedule...

[SECURITY] Fedora 42 Update: rust-dua-cli-2.32.2-3.fc42

A tool to conveniently learn about the disk usage of directories, fast!...

PT-2026-7522

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.11 through 18.6.5 GitLab CE/EE versions 18.7 through 18.7.3 GitLab CE/EE versions 18.8 through 18.8.3 Description An authenticated user could potentially view certain pipeline values by querying the API under specific...

Schneider Electric SCADAPack and RemoteConnect

GENERAL SECURITY RECOMMENDATIONS We strongly recommend the following industry cybersecurity best practices. Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Install physical controls so no unauthorized personnel can access...

Silicon Labs Simplicity Device Manager Tool 安全漏洞

The Silicon Labs Simplicity Device Manager Tool is a hardware enumeration, configuration, and fault-diagnosis tool developed by Silicon Labs, Inc. The tool has a security vulnerability caused by reflective cross-site scripting in multiple API endpoints. This vulnerability could allow attackers to...

Siemens SCALANCE and RUGGEDCOM Missing Authentication for Critical Function (CVE-2025-32433)

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution RCE. By exploiting a flaw in SSH protocol message handling, a malicious actor...

CVE-2026-25958

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14...

Sensitive Information Disclosure

Amazon SageMaker Python SDK is vulnerable to sensitive information disclosure. The vulnerability is due to the ModelBuilder HMAC signing key being returned in cleartext in the DescribeTrainingJob API response, which allows an attacker with API access and S3 output write permissions to upload...

crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate

A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the HostnameError.Error function. This flaw, caused by unbounded string concatenation, leads to excessive resource...

ROS-20260209-73-0033

A vulnerability in the JWE, JWS, JWT go-jose standards suite implementation package for the Go programming language is related to incorrect processing of highly compressed input data. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

EUVD-2025-206899

Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service DoS attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability ...

PT-2026-6873

Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service DoS attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability ...

HCL Velocity 安全漏洞

HCL Velocity is a value stream management and release platform developed by the Indian company HCL. There is a security vulnerability in HCL Velocity, which stems from the lack of rate limits being enforced for certain API calls, potentially leading to denial-of-service attacks...

CVE-2026-25729

DeepAudit is affected by an improper access control vulnerability in the /api/v1/users/ endpoint present in version 3.0.4 and earlier. An authenticated user can enumerate all users and retrieve sensitive fields (emails, phone numbers, full names, roles). The issue is documented across multiple so...

CVE-2026-25727

time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are...