Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: xfrm: Validates the prefix length of new SA entries using the SA family, when sel.family is unset. This extends the validation introduced in commit 07bf7908950a “xfrm: Validates address prefix lengths in the xfrm selector”. The...

MAL-2026-5837 Malicious code in postcss-minify-selector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc7341d6762a6209e4bde3d99f31f1a8650b6971e64a19547b9f35e7a51abb3 Package is published as postcss-minify-selector singular but its internal postcss plugin identifier is postcss-minify-selectors plural — the canonica...

Malicious code in postcss-minify-selector-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957f5cbb74f4dd4b4770e8c9cc1a8aac88a4450cb01dbc0fa5242c42e343f54c The package name impersonates the widely-used postcss-selector-parser library which it also declares as a dependency and re-exports verbatim from...

MAL-2026-5737 Malicious code in postcss-minify-selector-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 957f5cbb74f4dd4b4770e8c9cc1a8aac88a4450cb01dbc0fa5242c42e343f54c The package name impersonates the widely-used postcss-selector-parser library which it also declares as a dependency and re-exports verbatim from...

GHSA-XVFQ-4Q6Q-GXX7 In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0...

In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0...

PT-2026-48391

Found a command injection in Warp CVE-2026-48719 A crafted Git branch name runs in the victim's shell when selected in the prompt branch selector. Responsibly disclosed and now patched. Update @warpdotdev to stay safe. https://t.co/j16vvGrYLa...

CVE-2026-41726

In Spring for Apache Kafka, CVE-2026-41726 arises when an application uses the DelegatingDeserializer and an attacker can send records with unique, random spring.kafka.serialization.selector header values. This can cause the consumer’s heap to grow without bound, leading to garbage-collection thr...

CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

CVE-2026-4665

The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox data-caption attributes in all versions up to, and including, 2.7.10. This is due to the fancybox-config.js script reading the carousel container's id attribute directly from the DOM to...

CVE-2026-39972

Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to...

EUVD-2026-33944

The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With...

UBUNTU-CVE-2026-49270

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the project selector component when rendering selection menus for associating projects with system entities due to improper sanitization of project names returned via AJAX before injecting them into the DOM a...

CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

EUVD-2026-33280

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

CVE-2026-9811

CVE-2026-9811 is a stored XSS vulnerability in Mautic 7, specifically in the project selector component. The issue arises when rendering AJAX-returned project names into DOM option fields without proper sanitization; an authenticated user with project creation rights can inject malicious script v...