Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in hackney versions prior to 0.13.0 to 4.0.1, which stems from a URL decoding of host components by URL normalization functions that could lead to server-side request forgery...

PT-2026-43069

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney ws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into the intern...

PT-2026-43108

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.14 through 1.6.16 Roundcube Webmail versions prior to 1.7.1 Description Remote image blocking is not honored for URLs pointing to local or private destinations. This issue can be triggered via a text/html email...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-47138 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-47138 Source advisory: OSV:GHSA-38M6-82C8-4XFM...

CVE-2026-40864

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection updated in 4.1.0 inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affecte...

CVE-2026-3294

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full...

CVE-2026-3294

CVE-2026-3294 concerns an authentication logic vulnerability in multiple TP-Link range extenders. The issue allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation, enabling full administrative c...

CVE-2026-3294 Authentication Logic Vulnerability on Multiple TP-Link Range Extenders

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full...

CVE-2026-40864 JupyterHub: Cross-origin form POSTs bypass XSRF

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection updated in 4.1.0 inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affecte...

CVE-2026-9249

Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : Devolutions Server 2026.1.6.0 through 2026.1.16.0 Devolutions Server 2025.3.20.0 and earlier...

org.apache.cxf.systests:cxf-systests-jaxrs (>=4.0.0 <=4.1.5), org.apache.cxf.systests:cxf-systests-transport-jms (>=4.0.0 <=4.1.5) +18 more potentially affected by CVE-2025-48913 +1 more via org.apache.cxf:cxf-rt-transports-jms (>=4.0.0 <=4.1.5)

org.apache.cxf:cxf-rt-transports-jms MAVEN version =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =6.2.0.Final, =7.3.7.Final, =7.0.0.Final, =7.0.0.Final, =6.2.0.Final, =6.2.0.Final, =7.0.0.Final, =7.0.0.Final, =6.2.0.Final, =7.4.0.Beta3 and more Source cves: CVE-2025-48913, CVE-2026-4441...

CVE-2026-9246

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 throug...

CVE-2026-9249

Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : Devolutions Server 2026.1.6.0 through 2026.1.16.0 Devolutions Server 2025.3.20.0 and earlier...

CVE-2026-9249

This CVE concerns Devolutions Server where a crafted password-change request allows an attacker to change a user’s password without providing the current one. Affected versions include Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and earlier; no root-cause or fix details are provided...

CVE-2026-8353 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...

Buffer overflow in the ngx_http_rewrite_module

Buffer overflow in the ngxhttprewritemodule Severity: medium CVE-2026-9256 Not vulnerable: 1.31.1+, 1.30.2+ Vulnerable: 0.1.17-1.31.0...

CVE-2026-8997 Heap Buffer Overflow in vifm

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file vifminfo.json. This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the...

SUSE CVE-2026-44060

An integer underflow in dsiwriteinit in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request...

PT-2026-42788

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : Devolutions...

Vifm 安全漏洞

Vifm is a Vim-style file manager developed by Vifm. Versions 0.12.1 to 0.14.3 of Vifm contain security vulnerabilities. These vulnerabilities stem from heap buffer overflows during historical merges, which could lead to memory corruption or application crashes...