OESA-2026-1839 python-ecdsa security update

This is an easy-to-use implementation of ECDSA cryptography Elliptic Curve Digital Signature Algorithm, implemented purely in Python, released under the MIT license. With this library, you can quickly create keypairs signing key and verifying key, sign messages, and verify the signatures. The key...

Ajenti.plugin.core Has Race Conditions In 2FA

Impact If the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. Patches This is fixed in the version 0.112. Users should upgrade to this version as soon as possible...

GHSA-8F24-V5VV-GM5J next-intl has an open redirect vulnerability

Impact Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or control characters stripped by the URL parser, so the middleware coul...

next-intl has an open redirect vulnerability

Impact Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host e.g. scheme-relative // or control characters stripped by the URL parser, so the middleware coul...

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...

Security update for cockpit-tukit

This update for cockpit-tukit fixes the following issues: CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Node.js process bsc1257836. CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive...

Security update for cockpit-machines

This update for cockpit-machines fixes the following issues: CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Node.js process bsc1257836. CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive...

ROOT-OS-DEBIAN-11-CVE-2026-35414 CVE-2026-35414 in rootio-openssh - Patched by Root

Root has patched CVE-2026-35414 in the rootio-openssh package for Root:Debian:11. Multiple fixed versions available...

GHSA-52VJ-FVRV-7Q82 OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts

A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed...

SUSE SLES12 Security Update : kernel (Live Patch 67 for SUSE Linux Enterprise 12 SP5) (SUSE-SU-2026:1221-1)

The remote SUSE Linux SLES12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1221-1 advisory. This update for the SUSE Linux Enterprise Kernel 4.12.14-122.255 fixes various security issues The following security issues were fixed: -...

CVE-2026-5831 Agions taskflow-ai terminal_execute handlers.ts os command injection

A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminalexecute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading ...

PT-2026-31707

Name of the Vulnerable Software and Affected Versions FoundationAgents MetaGPT versions up to 0.8.1 Description A flaw exists in the Terminal.run command function within the metagpt/tools/libs/terminal.py library. This allows for os command injection, potentially enabling remote exploitation. The...

CVE-2026-5808

A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/dashboard/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in...

PT-2026-34331

Name of the Vulnerable Software and Affected Versions PackageKit versions 1.0.2 through 1.3.4 Description PackageKit, a D-Bus abstraction layer for secure package management across distributions, contains a time-of-check time-of-use TOCTOU race condition involving transaction flags. This flaw...

RHSA-2026:6618 Red Hat Security Advisory: gnutls security update

Bulletin has no description...

ROOT-OS-DEBIAN-12-CVE-2024-37407 CVE-2024-37407 in rootio-libarchive - Patched by Root

Root has patched CVE-2024-37407 in the rootio-libarchive package for Root:Debian:12. Multiple fixed versions available...

SUSE CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

Security update for avahi

This update for avahi fixes the following issue: CVE-2026-24401: avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record bsc1257235. Patch Instructions: To install this SUSE update use the SUSE recommended installation metho...

EUVD-2026-19176

A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks...

CVE-2026-27834

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...