CVE-2025-36327

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to bypass security controls and perform unauthorized actions due to client-side enforcement of sever-side security...

CVE-2026-48314

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to...

CVE-2026-48285

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery SSRF vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue...

CVE-2026-48285 ColdFusion | Server-Side Request Forgery (SSRF) (CWE-918)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery SSRF vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue...

CVE-2026-12388

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

CVE-2026-12388

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

CVE-2026-14209 Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions

A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions FGAPv2 are enabled, an administrator who should only be able to search for users but not view their full details can use a...

vim: arbitrary command execution via modeline sandbox bypass

A flaw was found in Vim. A modeline is used to set specific editor options directly from a text file. However, the complete, guitabtooltip, printheader options and the mapset function lack proper security checks, allowing an attacker to bypass restrictions and cause arbitrary OS command execution...

CVE-2026-53537

A flaw was found in Python-Multipart. This vulnerability allows a remote attacker to bypass security controls by exploiting a difference in how Content-Disposition and Content-Type headers are parsed. Specifically, the parseoptionsheader function incorrectly applies RFC 2231/5987 decoding, which ...

CVE-2026-53434

A flaw was found in Apache Tomcat. When configuring Certificate Revocation Lists CRLs for a FFM presumably a specific type of connector, the system fails to detect and act upon an error condition. This oversight could lead to unexpected behavior or a security bypass, as the intended security...

SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass

SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. id: CVE-2025-40536 info: name: SolarWinds Web Help Desk 12.8.8 Hotfix 1 HF1 - Security...

Adobe Experience Manager ≤ 6.5.23.0 - XML Injection

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. id: CVE-2025-54251 info: name: Adobe Experience Manager ≤ 6.5.23.0 - XML Injection author: DhiyaneshDK,assetnote severity: medium description: |...

Starlette - Improper Validation of Unsafe Equivalence in Input

A flaw was found in Starlette, a lightweight ASGI Asynchronous Server Gateway Interface framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP Host request header. This malformed header could cause the request.url to be incorrectly reconstructed, leading...

gnutls: gnutls: Security bypass due to incorrect name constraint handling

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities CAs only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate...

CVE-2026-58052

7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched...

CVE-2026-53092

A flaw was found in the Linux kernel's Berkeley Packet Filter BPF subsystem. This vulnerability occurs due to incorrect delta tracking when source and destination registers are the same during register value adjustments. This can lead to a mismatch between the BPF verifier's analysis and the actu...

CVE-2026-53081

A flaw was found in the Linux kernel's Berkeley Packet Filter BPF verifier. This vulnerability occurs due to inconsistent base ID mapping when the regsafe function compares scalar registers with BPFADDCONST values. This inconsistency allows the BPF verifier to incorrectly succeed in state pruning...

CVE-2026-53090

A flaw was found in the Linux kernel's Berkeley Packet Filter BPF verifier. When ldabs,ind instructions are used in BPF subprograms, the verifier fails to correctly simulate the abnormal exit path if packet data loading fails. This oversight could lead to unexpected behavior or bypass of security...

CVE-2026-53188

A flaw was found in the Linux kernel's RDMA/core component. This vulnerability arises from insufficient validation of file operations fops passed to the ibgetucaps function. A local attacker could exploit this by creating a block device with a device number devt that aliases a character device...

CVE-2026-48618

CVE-2026-48618 is a Node.js TLS hostname handling issue involving unicode dot separator handling that can bypass wildcard-depth authentication due to resolver/verifier hostname normalization mismatches. Connected updates confirm the vulnerability affects Node.js 22, 24, and 26 across releases. SU...