CVE-2026-41430

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting...

CVE-2026-41430 Press vulnerable to reflected XSS on login redirection

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting...

CVE-2026-41317 Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

EUVD-2026-25386

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

CVE-2026-32952

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue...

EUVD-2026-25370

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

CVE-2026-34587 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... ...

PT-2026-34841

Name of the Vulnerable Software and Affected Versions Press affected versions not specified Description Press, a Frappe custom app used for managing infrastructure, subscriptions, marketplace, and software-as-a-service SaaS, contains a flaw in the 'press.api.account.create api secret' endpoint...

PT-2026-34848

Name of the Vulnerable Software and Affected Versions Press affected versions not specified Description Press is a Frappe custom app used for managing infrastructure, subscriptions, marketplace, and software-as-a-service SaaS on Frappe Cloud. The redirect parameter on the login page is susceptibl...

PT-2026-35053

Name of the Vulnerable Software and Affected Versions Axios versions 1.0.0 through 1.15.1 Description Axios is a promise based HTTP client for the browser and Node.js. The library is susceptible to a Prototype Pollution Gadget attack. This occurs because the default transformResponse function cal...

CVE-2026-41239

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, SAFEFORTEMPLATES strips ... expressions from untrusted HTML. This works in string mode but not with RETURNDOM or RETURNDOMFRAGMENT, allowing XSS via...

Security update for openssl-1_1

This update for openssl-11 fixes the following issues: CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo bsc1261678. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like Ya...

PT-2026-34821

Name of the Vulnerable Software and Affected Versions go-ntlmssp versions prior to 0.1.1 Description A malicious NTLM challenge message can cause a slice out of bounds panic, leading to a crash of any Go process utilizing ntlmssp.Negotiator as an HTTP transport. Recommendations Update to version...

PT-2026-34601

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP HOME/package manager// cache root a...

Important: Red Hat Security Advisory: OpenJDK 11.0.31 ELS Security Update for Windows Builds

An update is now available for OpenJDK. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References...

UBUNTU-CVE-2026-31496

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntrackexpect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea "netfilter: conntrack: do not dump other netns's conntrack entries via proc"...

CVE-2026-31489

In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path mesonspiccprobe registers the controller with devmspiregistercontroller, so teardown already drops the controller reference via devm cleanup. Calling spicontrollerput again in...

ROOT-OS-DEBIAN-13-CVE-2026-34980 CVE-2026-34980 in rootio-cups - Patched by Root

Root has patched CVE-2026-34980 in the rootio-cups package for Root:Debian:13. Multiple fixed versions available...

Security update for podman

This update for podman rebuilds it against the current go 1.25 security release. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run the command listed for your product: SUSE Linux...

CVE-2026-41129

Craft CMS versions in the 4.x line up to 4.17.8 and the 5.x line up to 5.9.14 are vulnerable to a Server-Side Request Forgery when specific GraphQL permissions are enabled: “Edit assets in the volume” and “Create assets in the volume.” The issue is fixed in 4.17.9 and 5.9.15. Affected users sho...