CVE-2025-12008 IDOR in APPYAP's Yaay Social Media App

Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Yaay Social Media App: from 3.8.0 through 24102025...

RUSTSEC-2026-0141 TLS hostname verification disabled when using Boring TLS backend

An inverted-boolean bug in lettre's boring-tls integration silently disables TLS hostname verification for callers using the default strict configuration. An on-path attacker presenting any chain-valid certificate for any domain can intercept SMTP submission, including PLAIN/LOGIN credentials and...

TLS hostname verification disabled when using Boring TLS backend

An inverted-boolean bug in lettre's boring-tls integration silently disables TLS hostname verification for callers using the default strict configuration. An on-path attacker presenting any chain-valid certificate for any domain can intercept SMTP submission, including PLAIN/LOGIN credentials and...

CVE-2026-3607

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control...

UBUNTU-CVE-2026-3607

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control...

UBUNTU-CVE-2026-6073

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arbitrary JavaScript in other users' browsers due to improper input sanitization...

CVE-2025-12669

GitLab CVE-2025-12669 affects GitLab CE/EE versions 15.11 up to before 18.9.7, 18.10 up to before 18.10.6, and 18.11 up to before 18.11.3. The issue arises from improper input sanitization, allowing an authenticated user to inject HTML and JavaScript into email notifications sent to other users. ...

CVE-2026-1322 Business Logic Errors in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a readapi scoped OAuth application to create issues and add comments to issues in private projects due t...

Apache Commons 安全漏洞

Apache Commons is an Apache project focused on reusable Java components, developed by the Apache Foundation in the United States. There were security vulnerabilities in versions of Apache Commons from 2.2 to 2.15.0. These vulnerabilities stemmed from uncontrolled recursion when processing YAML...

GitLab Enterprise Edition（EE）和GitLab Community Edition（CE） 安全漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are products of the American company GitLab. GitLab Enterprise Edition is a content management system. GitLab Community Edition is a community version of GitLab. There were security vulnerabilities in versions of GitLab CE/EE from 15.1 ...

GitLab 安全漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD Continuous Integration and Delivery. Vulnerabilities exist in versions of GitLab CE/EE 18.3 to 18.9.7, 18.10...

PoDoFo 资源管理错误漏洞

PoDoFo is a free, portable C++ library open sourced by PoDoFo. Versions of PoDoFo from 1.0.0 to 1.0.4 had a resource management bug. This bug stemmed from a double release in the computehashtosign function. When the EVPDigestFinal function failed after the buf had already been released, the error...

Valtimo 日志信息泄露漏洞

Valtimo is an open-source low-code platform for business process automation developed by Valtimo in the Netherlands. Versions 12.4.0 to 12.33.0 and 13.26.0 of Valtimo have a vulnerability related to log information leakage. This vulnerability stems from the LoggingRestClientCustomizer automatical...

Yordam Library Automation System 安全漏洞

Yordam Library Automation System is an application developed by Yordam Corporation. Versions of the Yordam Library Automation System from v.19.5 to v.22.1 contained security vulnerabilities. These vulnerabilities were caused by incorrect authorization settings, which could lead to exploitation of...

Pode 路径遍历漏洞

Pode is an open-source framework developed by Badgerati for PowerShell ecosystems, aimed at cross-platform web and API development. Versions of Pode from 2.4.0 to 2.13.0 contained a path traversal vulnerability. This vulnerability stemmed from static routing, which allowed requests to include...

rust-openssl 安全漏洞

rust-openssl is an open-source library designed for interacting with the OpenSSL library. There were security vulnerabilities in the version of rust-openssl from 0.10.0 to 0.10.79. These vulnerabilities stemmed from incorrect calculations of the output buffer size when using AES key wrap padding,...

CVE-2026-46419

Yubico webauthn-server-core aka java-webauthn-server 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation...

CVE-2026-44369 CVAT: Stored XSS via annotation guides

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

@beardeddudes/strapi-types (>=0.1.0 <=0.1.1), @bimbeo160/admin (=4.12.2) +70 more potentially affected by CVE-2026-22599 via @strapi/plugin-content-type-builder (>=4.0.0 <=4.26.0)

@strapi/plugin-content-type-builder NPM version =4.0.0, =0.1.0, =4.12.2, =0.0.1, =1.0.9, =1.3.2, =4.1.12, =0.2.0, =1.0.0-alpha.2, =1.1.0, =1.4.0-rc.0 - @mtcndyl/strapi-plugin-firebase-auth =1.0.3 and more Source cves: CVE-2026-22599 Source advisory: OSV:GHSA-3XCQ-8MJW-H6MX...

EUVD-2025-209824

NXP moal.ko Wi-Fi driver 5.1.7.10 FW version from v17.92.1.p149.43 To v17.92.1.p149.157 was discovered to contain a buffer overflow via the modpara parameter in the woalinitmoduleparam function...