Important: kernel-livepatch-6.12.74-98.124

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through pskbcopy CVE-2026-46300 Affected Packages: kernel-livepatch-6.12.74-98.124 Issue Correction: Please ensure you have live patching enabled. Run dnf update...

PT-2026-43402

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code executi...

Session Fixation

Overview org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Session Fixation during the login operation in DefaultSecurityManager.ja...

CVE-2026-9501

A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompressR2004section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has...

CVE-2026-44598

With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

CVE-2026-45361

Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...

CVE-2026-45361 Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)

Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...

CVE-2026-9490

A security vulnerability has been identified in Acer Care Center where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. This vulnerability allows an authenticated local user to connect and send a specially crafted message message type 0x03 to the pipe, causing the service ...

CVE-2026-9490 Acer Care Center creates a Named Pipe with a weak Security Descriptor

A security vulnerability has been identified in Acer Care Center where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. This vulnerability allows an authenticated local user to connect and send a specially crafted message message type 0x03 to the pipe, causing the service ...

CVE-2026-9490

Affected product: Acer Care Center (ACC Svc). The vulnerability arises because the ACCSvc service creates a Named Pipe with a weak security descriptor, permitting an authenticated local user to connect and send a crafted message (type 0x03). This can trigger the service to crash with exit code 10...

PT-2026-43021

Name of the Vulnerable Software and Affected Versions Acer Care Center affected versions not specified Description The ACCSvc service creates a Named Pipe with a weak Security Descriptor. This allows an authenticated local user to connect and send a specially crafted message of type 0x03 to the...

Fedora 44 : python3.15 (2026-2ee2d7abd5)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-2ee2d7abd5 advisory. New prerelease of Python 3.15 with several CVE fixes Tenable has extracted the preceding description block directly from the Fedora security advisor...

PT-2026-43023

Name of the Vulnerable Software and Affected Versions apache-airflow-providers-google versions prior to 22.0.0 Description The ComputeEngineSSHHook disables SSH host-key verification by default. This configuration exposes SSH traffic between an Airflow worker and a Compute Engine VM to in-path...

Fedora 42 : kernel (2026-b9f338a467)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-b9f338a467 advisory. The 6.19.14-108 stable kernel update contains a couple if important security fixes. Tenable has extracted the preceding description block directly from the...

Fedora 44 : composer (2026-bd05cb6c4d)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-bd05cb6c4d advisory. Version 2.9.8 - 2026-05-13 Security: Fixed GitHub token validation and disclosure GHSA-f9f8-rm49-7jv2 Tenable has extracted the preceding description block...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the AddressRepository::getSqlQuery method that constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore...

Deserialization of Untrusted Data

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of model configuration files, an attacker can craft a malicious config.json file...

Buffer Overflow

Overview Affected versions of this package are vulnerable to Buffer Overflow via the NGReset Message Handler process. An attacker can cause memory corruption and potentially impact confidentiality, integrity, and availability by sending specially crafted messages remotely. Remediation Upgrade...