User Impersonation

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to User Impersonation in the app registration process. An attacker can gain unauthorized access to sensitive API credentials by exploiting the ability to...

Shopware vulnerable to a potential take over of app credentials

Summary We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an...

SUSE-SU-2026:0873-1 Security update for python

This update for python fixes the following issue: - CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator bsc1257181...

BIT-PARSE-2026-29182 Parse Server: Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoint...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.18.35 bug fix and security update

Red Hat OpenShift Container Platform release 4.18.35 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.18. Red Hat Product Security has rated this update as having a...

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

Impact An attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its...

CVE-2025-68725 affecting package kernel for versions less than 6.6.126.1-1

CVE-2025-68725 affecting package kernel for versions less than 6.6.126.1-1. A patched version of the package is available...

RHSA-2026:4059 Red Hat Security Advisory: postgresql:15 security update

Bulletin has no description...

SUSE CVE-2026-28350

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.4, the tag passes through the default Cleaner configuration. While pagestructure=True removes html, head, and title tags, there is no specific handling for , allowing an attacker to inje...

PT-2026-24423

Name of the Vulnerable Software and Affected Versions Zoom Workplace for Windows versions prior to 6.6.0 Description The issue involves external control of the file name or path within the Mail feature. This can allow an unauthenticated user to escalate privileges through network access. The...

Exploit for Improper Privilege Management in Microsoft

CVE-2026-21533 Scanner: Windows RDP Local Privilege Escalation...

EUVD-2026-10172

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters...

EUVD-2026-10160

Netmaker has Privilege Escalation from Admin to Super-Admin via User Update...

Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Impact A flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host...

CLSA-2026-1773045484 kernel: Fix of 28 CVEs

fix: dm: fix dmblkreportzones CVE-2025-38141 - ice: Fix a null pointer dereference in icecopyandinitpkg CVE-2025-38664 - qed: Don't collect too many protection override GRC elements CVE-2025-39949 - drm/amd/display: Avoid a NULL pointer dereference CVE-2025-39693 - iommu/amd/pgtbl: Fix possible...

CVE-2026-30850

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...

Important: Red Hat Security Advisory: golang-github-openprinting-ipp-usb security update

An update for golang-github-openprinting-ipp-usb is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2026:0077-1 Rating: important References: 1259213 Cross-References: CVE-2026-3536 CVE-2026-3537 CVE-2026-3538 CVE-2026-3539 CVE-2026-3540 CVE-2026-3541 CVE-2026-3542 CVE-2026-3543 CVE-2026-3544 CVE-2026-3545...

CVE-2026-29075

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commi...

CVE-2026-29087

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...