CVE-2026-44849

CVE-2026-44849 describes an endpoint security bypass in Portainer: non-admin users with Swarm endpoint access can create/update services and bypass EndpointSecuritySettings checks, allowing elevated capabilities, broken syscall confinement, and bind mounts to host paths. Affected are Portainer re...

CVE-2026-49129 Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin

Music Player Daemon MPD before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPTFOLLOWLOCATION is set without CURLOPTREDIRPROTOCOLSSTR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP...

CVE-2026-48700

A flaw was found in PCManFM-Qt. This vulnerability allows an attacker to achieve arbitrary code execution or bypass network security restrictions. This occurs when a specially crafted file path, provided as a Uniform Resource Identifier URI in a D-Bus method call, causes PCManFM-Qt to open the fi...

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the...

CVE-2026-44933

A flaw was found in libzypp. This vulnerability allows a local attacker to bypass security restrictions within the PluginScript component. By exploiting how the system attempts to isolate plugins, an attacker can execute unauthorized programs on the host system with root privileges...

PT-2026-42050

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.2 Description The file upload endpoint "/api/attachments/process" does not enforce active-content restrictions for authenticated users. The system fails to properly check for dangerous file extensions when the...

CVE-2026-41646

A flaw was found in Nuclei. A vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files. This can be exploited by an attacker through the require function, bypassing default local file access restrictions, leading to information disclosure...

CVE-2026-45350 Open WebUI: Chat completion API allows tool restrictions to be bypassed

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. In the chatcompletion API, t...

CVE-2026-45350

Open WebUI (self-hosted AI platform) has a vulnerability in the chat_completion API prior to version 0.8.6 where user-supplied tool_ids/tool_servers are used to build a tools_dict without permission checks. This allows invoking any server tool using the server’s credentials, bypassing tool restri...

ROS-20260515-73-0053

A vulnerability in the Google Chrome browser is related to access control flaws. Exploitation of the vulnerability could allow an attacker acting remotely to bypass navigation restrictions using a specially crafted HTML page...

Open WebUI's chat completion API allows tool restrictions to be bypassed

Summary Open WebUI v0.6.43 contains a vulnerability in its chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. Details In the chatcompletion API, the parameters toolids and toolservers are supplied by the user. These...

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the...

Linux Distros Unpatched Vulnerability : CVE-2026-7937

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to...

CVE-2026-35514 Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

CVE-2026-22077

OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure...

SUSE-SU-2026:21291-1 Security update for podman

This update for podman fixes the following issues: - CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: Container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files bsc1252376. - CVE-2025-47913: golang.org/x/crypto/ssh/agent: client process termination when receiving an...

CVE-2026-5894

Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5896

CVE-2026-5896 relates to a policy bypass in the Audio component of Google Chrome before version 147.0.7727.55. A remote attacker could persuade a user to perform specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. The description indicates affected software is Go...

CVE-2026-5894

Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

PT-2026-31505

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 147.0.7727.55 Description Insufficient validation of untrusted input in Downloads in Google Chrome on Windows allowed a remote attacker to bypass download restrictions via a crafted HTML page. The security...