CVE-2026-3953

CVE-2026-3953 describes a Reflected XSS in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce due to improper neutralization of input during web page generation. Affected software: Proticaret E-Commerce from v5.0.0 to before v6.0.1767.1383. The CVSS 3.1 base metrics indicate HIGH i...

SUSE-SU-2026:1745-1 Security update for rmt-server

This update for rmt-server fixes the following issues: Update to version 2.27. Security issues fixed: - CVE-2026-26961: rack: greedy multipart boundary parsing can lead to parser differentials and WAF bypass bsc1261398. - CVE-2026-26962: rack: improper unfolding of folded multipart headers can le...

CVE-2026-41673

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DO...

NPM: vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape

NPM: vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape vulnerability discovered by ? in WordPress Npm vm2 versions = 3.9.6, = 3.10.5...

CVE-2026-41673

CVE-2026-41673 affects xmldom (npm package @xmldom/xmldom/xmldom). The vulnerability arises from seven recursive traversals in lib/dom.js (including normalize, serializeToString, getElementsByTagName(s), getElementsByClassName, getElementById, cloneNode, importNode, textContent, isEqualNode) that...

EUVD-2026-28288

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DO...

CVE-2026-41891 CI4MS: Deactivated User Session Bypass (active=0)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version...

SUSE CVE-2026-43075

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2writeendinline KASAN reports a use-after-free write of 4086 bytes in ocfs2writeendinline, called from ocfs2writeendnolock during a copyfilerange splice fallback on a corrupted ocfs2 filesyst...

SUSE CVE-2026-43129

In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel's IMA buffer lies in addressable RAM Patch series "Address page fault in imarestoremeasurementlist", v3. When the second-stage kernel is booted via kexec with a limiting command line such as "mem="...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2845 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.12.Final)

io.netty:netty-codec-http MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42587 Source advisory: OSV:GHSA-F6HV-JMP6-3VWV...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +3524 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-compression (>=4.2.0.Alpha3 <=4.2.12.Final)

io.netty:netty-codec-compression MAVEN version =4.2.0.Alpha3, =0.1.0, =0.1.0, =4.7.4, =4.7.4, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42587 Source advisory: SNYK:JAVA-IONETTY-16438931...

ai.spice:spiceai (=0.6.0), cn.isqing.icloud:icloud-common-utils (>=4.0.3-M1 <=4.0.3.1) +366 more potentially affected by CVE-2026-42586 via io.netty:netty-codec-redis (>=4.2.0.Alpha1 <=4.2.12.Final)

io.netty:netty-codec-redis MAVEN version =4.2.0.Alpha1, =4.0.3-M1, =1.21.9, =3.4.7, =25.4.1, =26.2.1, =7.9.0, =5.1.0, =5.1.0, =6.80, =0.2.2, =0.2.4 and more Source cves: CVE-2026-42586 Source advisory: SNYK:JAVA-IONETTY-16439010...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +753 more potentially affected by CVE-2026-42582 via io.netty:netty-codec-http3 (>=4.2.10.Final <=4.2.12.Final)

io.netty:netty-codec-http3 MAVEN version =4.2.10.Final, =0.1.0, =0.1.0, =0.0.1-alfa, =0.0.1-demo, =6.0.1, =4.0.3-M1, =1.21.9, =1.0.5, =3.6.4, =1.0.1, =26.2.1, =26.4.2 and more Source cves: CVE-2026-42582 Source advisory: SNYK:JAVA-IONETTY-16438978...

be.appify.prefab:prefab-sns-sqs (>=0.4.0 <=0.7.1), be.appify.prefab:prefab-test (>=0.4.0 <=0.7.1) +8 more potentially affected by CVE-2026-44308 via io.awspring.cloud:spring-cloud-aws-sns (>=4.0.0 <=4.0.1)

io.awspring.cloud:spring-cloud-aws-sns MAVEN version =4.0.0, =0.4.0, =0.4.0, =4.0.0, =4.0.0, =4.0.0, =2.1.0, =1.3.0, =7.0.0, =7.0.0, =7.3.1 Source cves: CVE-2026-44308 Source advisory: OSV:GHSA-R4W4-WV68-QV85...

NPM: Vercel: Non-interactive mode includes CLI arguments in suggested command output

NPM: Vercel: Non-interactive mode includes CLI arguments in suggested command output vulnerability discovered by ? in WordPress Npm vercel versions = 50.16.0, = 52.0.0...

@caliperai/caliper (>=0.2.0 <=0.3.0), @doccov/api (>=0.6.0 <=0.6.4) +12 more potentially affected by CVE-2026-44479 via vercel (>=50.41.0 <=51.8.0)

vercel NPM version =50.41.0, =0.2.0, =0.6.0, =0.3.0-rc.2, =3.10.3, =1.1.1, =1.0.1, =1.0.2, =0.1.19, =0.4.0-rc.3, =1.0.0, =2.0.0 Source cves: CVE-2026-44479 Source advisory: SNYK:JS-VERCEL-16638653...

VMware Spring Cloud Config 路径遍历漏洞

VMware Spring Cloud Config is a configuration management solution for distributed systems developed by VMware, Inc. This product provides server and client support for external configurations in distributed systems. VMware Spring Cloud Config has a path traversal vulnerability, which stems from t...

DivvyDrive 跨站请求伪造漏洞

DivvyDrive is a file storage and sharing management platform developed by DivvyDrive Inc. in Turkey. Versions of DivvyDrive from 4.8.2.9 to 4.8.3.2 contained a cross-site request forgeing vulnerability. This vulnerability was caused by cross-site request forgeing, and it could lead to cross-site...

Wallos 代码问题漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.8.1 contained code vulnerabilities. These vulnerabilities stemmed from the SSRF protection mechanism not preventing the CGNAT address range, which could allow authenticated users to...

GitPython 操作系统命令注入漏洞

GitPython is a Python library developed by gitpython-developers, used for interacting with Git repositories. Versions of GitPython from 3.1.30 to 3.1.47 contained an operating system command injection vulnerability. This vulnerability stemmed from allowing dangerous Git options without proper...