752 matches found
CVE-2026-45337
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny...
CVE-2026-6804
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacke...
EUVD-2026-43144
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacke...
CVE-2026-57251
The application opens a PDF, but the cloud-like appearance of the construction process lacks proper setting of an upper limit and consistency checks. Out-of-bounds access to the underlying array is exposed, ultimately leading to a crash of the application...
CVE-2026-53345
A flaw was found in the Linux kernel's Kernel-based Virtual Machine KVM component. This vulnerability occurs when a virtual machine is shutting down, and KVM attempts to mark memory as dirty without an active virtual CPU. This can lead to a memory leak, impacting system stability and resource...
EUVD-2026-38083
Authelia has an Edge Case Access Control Rule Mismatch...
EUVD-2026-39531
RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64...
CVE-2026-52951 drm/xe/dma-buf: handle empty bo and UAF races
In the Linux kernel, the following vulnerability has been resolved: drm/xe/dma-buf: handle empty bo and UAF races There look to be some nasty races here when triggering the invalidatemappings hook: 1 We do xeboalloc followed by the attach, before the actual full bo init step in xedmabufinitobj...
Astra Linux – Vulnerability found in Linux 6.12, Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: NFSD: The free copynotify stateid in nfs4freeolstateid has been fixed. Typically, the copynotify stateid is freed either when the parent’s stateid is being closed/freed, or in nfsd4laundromat if the stateid has not been used duri...
EUVD-2025-210310
HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario...
CVE-2025-15619
HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario...
CVE-2025-15619
Technical details about CVE-2025-15619 are not publicly available in the provided documents. No affected products, versions, or remediation are specified. Monitor for updates.
crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages
A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...
PT-2026-51525
Name of the Vulnerable Software and Affected Versions HCL Connections affected versions not specified Description Broken access control may allow an unauthorized user to view data in a single specific scenario. Recommendations At the moment, there is no information about a newer version that...
Astra Linux – Vulnerability in Linux 5.15
In the Linux kernel, the following vulnerabilities have been resolved: bpf: Memory leaks have been fixed in checkfunccall. kmemleak reports this issue: Unreferenced object 0xffff88817139d000 size 2048: comm "testprogs", pid 33246, jiffies 4307381979 age 45851.820s Hex dump first 32 bytes: 01 00 0...
EUVD-2026-37585
The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level...
PT-2026-50223
In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote proximal/adjacent escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
DEBIAN-CVE-2026-54411
Linux-PAM through 1.7.2 contains an observable timing discrepancy CWE-208 in the pamuserdb module's plaintext-password comparison path in modules/pamuserdb/pamuserdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the...
PT-2026-47839
Name of the Vulnerable Software and Affected Versions OpenSSL affected versions not specified Description An error in the callback used to verify certificates during a Root CA key update in the Certificate Management Protocol CMP renders certificate validation ineffectual. Specifically, a typo in...
CVE-2026-47713
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user - multi-user migration even when the device record has userId = null. In...