SUSE-SU-2026:20123-1 Security update for buildah

This update for buildah fixes the following issues: - CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed non validated message size causing a panic due to an out of bounds read bsc1254054 - CVE-2025-47913: golang.org/x/crypto/ssh/agent: Fixed client process termination when receiving an...

MiracleLinux 3 : mod_nss-1.0.8-8.AXS3 (AXSA:2014-238:01)

The remote MiracleLinux 3 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2014-238:01 advisory. The modnss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer SSL and Transport Layer Security TLS protocols using the...

MiracleLinux 4 : firefox-60.3.0-1.0.1.AXS4 (AXSA:2018-3377:08)

The remote MiracleLinux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2018-3377:08 advisory. Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 CVE-2018-12390 Mozilla: Crash with nested event loops CVE-2018-12392 Mozilla:...

Linux Distros Unpatched Vulnerability : CVE-2026-21636

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without...

CVE-2025-14001

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with...

USN-7960-1: Rack vulnerabilities

It was discovered that Rack incorrectly handled certain query parameters. An attacker could possibly use this issue to cause a limited denial of service. This issue was only addressed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. CVE-2025-59830 It was discovered that Rack did not properly handle...

CVE-2022-50907

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution...

CVE-2022-50906

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting XSS payloads...

CVE-2023-40116

In onTaskAppeared of PipTaskOrganizer.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2009-4912

Cisco Adaptive Security Appliances ASA 5580 series devices with software before 8.12 complete an SSL handshake with an HTTPS client even if this client is unauthorized, which might allow remote attackers to bypass intended access restrictions via an HTTPS session, aka Bug ID CSCso10876...

CVE-2017-18886

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands...

SUSE CVE-2017-18886

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands...

CVE-2023-53979

Summary of the vulnerability (CVE-2023-53979) : MyBB 1.8.32 contains a chained vulnerability that authenticated administrators can exploit to bypass avatar upload restrictions and achieve remote code execution. The attack leverages the ability to modify upload path settings, upload a PHP-embedded...

CVE-2025-13641

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided...

CVE-2023-53893

Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the job callback URL parameter that allows attackers to bypass network restrictions. Attackers can exploit the unvalidated parameter to initiate file, service, and network enumeration by forcing the...

CVE-2024-32643

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6...

CVE-2025-65669

Summary: CVE-2025-65669 affects classroomio 0.1.13, where student accounts can delete courses from the Explore page without authorization, bypassing admin-only checks. Root cause (as described): missing authorization checks in the delete path. Impact: potential unauthorized course deletion with h...

CVE-2025-12431

Inappropriate implementation in Extensions in Google Chrome prior to 142.0.7444.59 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. Chromium security severity: High...

CVE-2025-60500

QDocs Smart School Management System 7.1 allows authenticated users with roles such as "accountant" or "admin" to bypass file type restrictions in the media upload feature by abusing the alternate YouTube URL option. This logic flaw permits uploading of arbitrary PHP files, which are stored in a...

CVE-2025-4615

The CVE-2025-4615 entry concerns Palo Alto Networks PAN-OS management web interface. An improper input neutralization vulnerability allows an authenticated administrator to bypass system restrictions and execute arbitrary commands. Affected PAN-OS versions are indicated in Nessus plugin reference...