kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop

A flaw was found in the Linux kernel's ALSA Advanced Linux Sound Architecture aloop driver. This Use-After-Free UAF vulnerability occurs when loopbackcheckformat stops the capture side during a format change, while a concurrent close operation detaches or frees the runtime. An attacker could...

CVE-2026-52909

In the Linux kernel, the following vulnerability has been resolved: ip6vti: set netnsimmutable on the fallback device. john1988 and Noam Rathaus reported that vti6initnet does not set the netnsimmutable flag on the per-netns fallback tunnel device ip6vti0. Other similar tunnel drivers like...

Navidrome <=0.54.5 - Authentication Bypass in Subsonic API

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

Stable Diffusion Webui 1.10.0 - Open Redirect

An open redirect vulnerability exists in Stable-Diffusion-Webui 1.10.0, where the file parameter in the /file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs. id: CVE-2024-11044...

Ruckus vRioT IoT Controller - Authentication Bypass

Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validatetoken.py,letting unauthenticated attackers interact with the API without authentication. id: CVE-2020-26879 info: name: Ruckus vRioT IoT Controller - Authentication Bypass author: DhiyaneshDk severity:...

WordPress Toolbar <= 2.2.6 - Open Redirect

The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. id: CVE-2023-6389 info: name: WordPress Toolbar = 2.2.6 - Open Redirect...

Users Ultra <= 3.1.0 - SQL Injection

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL Injection...

WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload

The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwbwgmpreviewmail' and 'mwbwgmwoocommerceaddcartitemdata' functions in all versions up to, and including, 2.6.0. This makes it possible for...

CVE-2026-12012

The following flaw was identified in the Chromium browser: Use after free Network. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=499182801...

CVE-2026-12011

The following flaw was identified in the Chromium browser: Use after free WebMIDI. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=518108291...

CVE-2026-12463

An inappropriate implementation flaw was found in the Views component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=518042749...

CVE-2026-12458

An incorrect security ui flaw was found in the Passwords component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=517258337...

CVE-2026-12451

An use after free flaw was found in the DigitalCredentials component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=514741076...

crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building

A flaw was found in the Go standard library packages crypto/x509 and crypto/tls. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being...

WordPress My Calendar <3.4.22 - SQL Injection

WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the 'from' and 'to' parameters of the '/my-calendar/v1/events' REST route. id: CVE-2023-6360 info: name: WordPress My Calendar 3.4.22 - SQL Injection author: xxcdd severity: critical...

ROOT-OS-DEBIAN-12-CVE-2023-34152 CVE-2023-34152 in rootio-imagemagick - Patched by Root

Root has patched CVE-2023-34152 in the rootio-imagemagick package for Root:Debian:12. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-40973 CVE-2026-40973 in io.root.org.springframework.boot:spring-boot - Patched by Root

Root has patched CVE-2026-40973 in the io.root.org.springframework.boot:spring-boot package for Root:Maven. Multiple fixed versions available...

ROOT-OS-DEBIAN-13-CVE-2026-31525 CVE-2026-31525 in rootio-linux - Patched by Root

Root has patched CVE-2026-31525 in the rootio-linux package for Root:Debian:13. Multiple fixed versions available...

ROOT-OS-DEBIAN-13-CVE-2025-71133 CVE-2025-71133 in rootio-linux - Patched by Root

Root has patched CVE-2025-71133 in the rootio-linux package for Root:Debian:13. Multiple fixed versions available...

ROOT-OS-DEBIAN-13-CVE-2025-40022 CVE-2025-40022 in rootio-linux - Patched by Root

Root has patched CVE-2025-40022 in the rootio-linux package for Root:Debian:13. Multiple fixed versions available...