SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy

Impact In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the...

Security update for python3

This update for python3 fixes the following issues: CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator bsc1257181. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2026:0871-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0871-1 advisory. Update to Firefox Extended Support Release 140.8.0 ESR MFSA 2026-15 bsc1258568: - CVE-2026-2757:...

SAP NetWeaver AS ABAP Missing Authorization Check (3703856)

The version of SAP NetWeaver AS ABAP and ABAP Platform detected on the remote host is affected by a missing authorization check vulnerability as referenced in the SAP Security Patch Day March 2026: - Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated...

GHSA-8WQ8-6859-QX77 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured...

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured...

This Android vulnerability can break your lock screen in under 60 seconds

A vulnerability in Android devices can allow attackers to gain access to a phone in less than a minute. The vulnerability, tracked as CVE-2026-20435, affects certain MediaTek SoCs System-on-a-Chip using Trustonic’s TEE Trusted Execution Environment. That may sound rare, but reportedly that’s abou...

ROOT-OS-DEBIAN-12-CVE-2026-27798 CVE-2026-27798 in rootio-imagemagick - Patched by Root

Root has patched CVE-2026-27798 in the rootio-imagemagick package for Root:Debian:12. Multiple fixed versions available...

RHSA-2026:4222 Red Hat Security Advisory: libpng15 security update

Bulletin has no description...

DEBIAN-CVE-2026-4015

A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtinprocesstexml of the file src/filters/loadtext.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit...

CVE-2026-4015 GPAC TeXML File load_text.c txtin_process_texml stack-based overflow

A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtinprocesstexml of the file src/filters/loadtext.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit...

CVE-2026-4015

A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtinprocesstexml of the file src/filters/loadtext.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit...

CVE-2026-3979

A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function jsiteratorconcatreturn of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name:...

CVE-2026-3977

Technical details (affected product/version, exploitability, impact, and remediation) are not publicly provided in the supplied documents. Monitor for updates from official advisories to obtain concrete information about CVE-2026-3977.

PT-2026-24918

A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js iterator concat return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name:...

User Impersonation

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to User Impersonation in the app registration process. An attacker can gain unauthorized access to sensitive API credentials by exploiting the ability to...

Shopware vulnerable to a potential take over of app credentials

Summary We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an...

SUSE-SU-2026:0873-1 Security update for python

This update for python fixes the following issue: - CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator bsc1257181...

BIT-PARSE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoint...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.18.35 bug fix and security update

Red Hat OpenShift Container Platform release 4.18.35 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.18. Red Hat Product Security has rated this update as having a...