CVE-2026-42272

CVE-2026-42272 affects Heimdall, a cloud-native Identity Aware Proxy/Access Control service. Before v0.17.14, it treated URL-encoded slashes (%2F) as case-sensitive while percent-encodings must be case-insensitive, causing %2f to be ignored when allow_encoded_slashes is off (default). This discre...

python-kdcproxy: Unauthenticated SSRF via Realm‑Controlled DNS SRV

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request f...

CVE-2025-43496

The issue was addressed by adding additional logic. This issue is fixed in watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Sequoia 15.7.2, visionOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off...

CVE-2025-31276

This issue was addressed through improved state management. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9. Remote content may be loaded even when the 'Load Remote Images' setting is turned off...

Mozilla: IndexedDB files retained in private browsing mode

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: If the browser.privatebrowsing.autostart preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox...

CVE-2023-1259

The Hotjar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the hotjarsiteid in versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above...