PT-2026-50719

Summary The Sentry exporter constructs Sentry API URLs by interpolating the span's service.name resource attribute into the URL path without validation. Because service.name is controlled by remote OTLP senders and the operator-configured bearer token is attached to every request, a crafted servi...

D-Link DSL2600U Rule-Based IoT Intrusion Detection System

This is a IoT attack detection script that monitors HTTP request behavior to identify potentially malicious activity against devices such as routers or embedded systems...

389-ds:1.4 security update

1.4.3.39-24 - Bump version to 1.4.3.39-24 - Resolves: RHEL-170278 - Memory leaks in syncrepl plugin during persistent search operations rhel-8.10.z - Resolves: RHEL-163375 - WARN - keys2idl - received NULL idl from indexreadextallids - Resolves: RHEL-159306 - ns-slapd crash in libdb possible memo...

PT-2026-50721

TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link or email link. This link target would then be clickable by the user who entered it. A successful attack commonly requires knowledge of the...

PT-2026-50743

githubreceiver Silently Ignores Configured required headers Authentication Summary The githubreceiver webhook handler does not enforce the required headers configuration. Headers are validated at startup config rejects empty keys/values but never checked on incoming requests. This follows the sam...

PT-2026-50729

Component: tract-nnef nnef/src/tensors.rs::read tensor + tract-data data/src/tensor.rs - Affected versions: 0.21.16, 0.22.0–0.22.2, 0.23.0–0.23.1 — the dense DatLoader path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1 - Class: CWE-190 integer overflow →...

PT-2026-50813

HTML injection in pgAdmin 4's cloud deployment module. The verify credentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit...

PT-2026-50816

SQL injection in pgAdmin 4's named restore point endpoint POST /browser/server/restore point/gid/sid. The user-supplied 'value' field was interpolated directly into the SQL string with str.format instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected...

PT-2026-50660

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

PT-2026-50656

claudiopizzillo PIAF-HMS PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5 contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters...

Thursday, June 18, 2026 Security Releases

Thursday, June 18, 2026 Security Releases UPDATE 2026-06-18 Security releases available Updates are now available for the 26.x, 24.x, 22.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: llhttp 9.4....

PT-2026-50742

Summary Running a malicous container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree durin...

Unquoted Service Path Detection and Remediation Tool for Windows

This PowerShell script is a comprehensive security auditing tool designed to detect and fix unquoted service path vulnerabilities in Windows services...

PT-2026-50793

Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...

HP (CVE-2014-7875)

Unspecified vulnerability on the HP LaserJet CM3530 Multifunction Printer CC519A and CC520A with firmware before 53.236.2 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors. This plugin only works with Tenable.ot. Please visit...

Joomla! Extension 'JCE' < 2.9.99.5 Remote Code Execution

The version of the JCE Joomla Content Editor extension for the Joomla! application running on the remote host is prior to 2.9.99.5. It is, therefore, affected by an improper access control vulnerability. The extension allows the creation of new editor profiles for unauthenticated users, ultimatel...

Siemens RUGGEDCOM RST2428P Improper Input Validation (CVE-2026-23231)

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: fix use-after-free in nftablesaddchain nftablesaddchain publishes the chain to table-chains via listaddtailrcu in nftchainadd before registering hooks. If nftablesregisterhook then fails, the error path calls...

RHEL 8 : xorg-x11-server-Xwayland (RHSA-2026:26562)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:26562 advisory. Xwayland is an X server for running X clients under Wayland. Security Fixes: xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server:...

Siemens RUGGEDCOM RST2428P Uncontrolled Recursion (CVE-2025-8732)

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to...

Siemens RuggedCom Rox Out-of-bounds Write (CVE-2019-14196)

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfslookupreply. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc...