CVE-2025-67888

Control Web Panel (CWP) before 0.9.8.1209 is affected by an unauthenticated OS command injection flaw. User input passed in the GET parameter “key” to /admin/index.php (when the “api” parameter is set) is not properly sanitized, allowing an attacker to inject and execute arbitrary commands with r...

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the SimpleFunctionRegistry composition. An attacker can exhaust memory or trigger unbounded recursive function composition by supplying crafted function definitions that...

Missing Authorization

Overview org.springframework.ai:spring-ai-openai is an OpenAI models support Affected versions of this package are vulnerable to Missing Authorization via the default configuration of the Spring AI chat memory component. An attacker can access data from other users when DEFAULTCONVERSATIONID is n...

Linux Distros Unpatched Vulnerability : CVE-2026-43359

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the...

Linux Distros Unpatched Vulnerability : CVE-2026-8124

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidxboxread of the file src/isomedia/boxcodebase.c. The manipulation...

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the GDnentries function. An attacker can execute arbitrary code or cause a denial of service by providing a specially crafted DataFieldName argument. Remediation Upgrade gdal to version 3.12.4 or higher...

GHSA-R736-2678-FCRX FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

Summary A stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other use...

Security Bulletin: Vulnerabilities have been identified in IBM® SDK, Java™ Technology Edition shipped with IBM Buinses Automation Workflow due to the April 2026 Java CPU

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about security vulnerabilities in IBM® SDK, Java™ Technology Edition affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability...

Security Bulletin: IBM Maximo Scheduler Optimizer uses brace-expansion-1.1.11.tgz which is vulnerable to CVE-2026-33750

Summary IBM Maximo Scheduler Optimizer uses brace-expansion-1.1.11.tgz which is vulnerable to CVE-2026-33750. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-33750 DESCRIPTION: The brace-expansion library generates arbitrary...

Security Bulletin: IBM Maximo Scheduler Optimizer uses requests-2.32.5-py3-none-any.whl which is vulnerable to CVE-2026-25645

Summary IBM Maximo Scheduler Optimizer uses requests-2.32.5-py3-none-any.whl which is vulnerable to CVE-2026-25645. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-25645 DESCRIPTION: Requests is a HTTP library. Prior to version...

Security Bulletin: IBM Maximo Scheduler Optimizer uses werkzeug-3.1.5-py3-none-any.whl which is vulnerable to CVE-2026-27199

Summary IBM Maximo Scheduler Optimizer uses werkzeug-3.1.5-py3-none-any.whl which is vulnerable to CVE-2026-27199. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-27199 DESCRIPTION: Werkzeug is a comprehensive WSGI web applicati...

Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to loss of confidentiality (CVE-2026-25679)

Summary IBM App Connect Enterprise Certified Container operator and DesignerAuthoring, IntegrationRuntime and IntegrationServer operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in Golang module url.Parse...

GHSA-J6HH-H3CF-C2HF Spring Cloud Config Server Logged Sensitive Information

When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs. - Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 inclusive; no open-source upgrade available. - Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13...

Spring Cloud Config Server Logged Sensitive Information

When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs. - Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 inclusive; no open-source upgrade available. - Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13...

GHSA-4CX3-3C38-J9VV katalyst-koi: Session cookies can be replayed after user logout

Impact Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This affects applications using Koi admin...

katalyst-koi: Session cookies can be replayed after user logout

Impact Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This affects applications using Koi admin...

Improperly Implemented Security Check for Standard

Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to missing concurrent procedure validation in the SecurityMode and handleHandoverRequiredMain functions. An attacker can cause mismatches between security contexts, potentially...

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling via the getChunkSize function. An attacker can inject unauthorized HT...

wasmtime has a panic when allocating a table exceeding the size of the host's address space

Impact Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables ca...