CVE-2026-39394

CI4MS vulnerable to CRLF injection in .env via unvalidated host parameter in Install::index(). Before 0.31.4.0, host is read without validation and appended to .env through updateEnvSettings() using preg_replace(), allowing newline characters to inject arbitrary key=value lines (e.g., app.baseURL...

CVE-2026-35533 mise has a local settings bypass config trust checks

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted a...

PT-2026-26776

Summary AVideo's session start function accepts arbitrary session IDs via the PHPSESSID GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly...

nfs-utils: rpc.mountd in the nfs-utils privilege escalation

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exporte...

PT-2026-7746

Name of the Vulnerable Software and Affected Versions macOS versions prior to Tahoe 26.3 macOS versions prior to Sonoma 14.8.4 macOS versions prior to Sequoia 15.7.4 iOS versions prior to 18.7.5 iPadOS versions prior to 18.7.5 Description An application may be able to bypass certain Privacy...

CVE-2026-1075

CVE-2026-1075 – ZT Captcha (WordPress) : The WordPress plugin is vulnerable to Cross-Site Forgery (CSRF) in all versions up to 1.0.4 due to improper nonce validation on the save_ztcpt_captcha_settings action. This allows unauthenticated attackers to modify plugin settings via a forged request if ...

Telegram to Add Warning for Proxy Links After IP Leak Concerns

Telegram will add a warning for proxy links after reports showed they can expose user IP addresses with a single click, bypassing VPN or privacy settings...

Apple多款产品 安全漏洞

Apple iOS and others are products of Apple Inc. Apple iOS is an operating system developed for mobile devices.Apple iPadOS is an operating system for iPad tablets.Apple visionOS is an operating system for AR glasses. A security vulnerability exists in several Apple products, which stems from an...

Apple macOS 安全漏洞

Apple macOS is a suite of specialized operating systems developed for Mac computers by Apple Inc. in the United States. A security vulnerability exists in Apple macOS Sequoia prior to version 15.7, which stems from insufficient symbolic link validation and could lead to bypassing privacy...

EUVD-2020-1619

Malware in sbrugna...

EUVD-2020-1581

Malware in sbrugna...

EUVD-2021-2953

Malicious code in bioql PyPI...

EUVD-2024-54706

Malicious code in bioql PyPI...

Arc 安全漏洞

Arc is a browser from Arc. A security vulnerability exists in versions prior to Arc 1.26.1 that stems from a site settings bypass issue that allows sites to add new permissions...

CVE-2024-52928

Arc before 1.26.1 on Windows has a bypass issue in the site settings that allows websites with previously granted permissions to add new permissions when the user clicks anywhere on the website...

CVE-2023-21388

In Settings, there is a possible restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2021-39651

In TBD of TBD, there is a possible way to access PIN protected settings bypassing PIN confirmation due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:...

CVE-2021-0334

In onTargetSelected of ResolverActivity.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product:...

CVE-2020-0115

In verifyIntentFiltersIfNeeded of PackageManagerService.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

CVE-2017-13314

In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass due to a missing permission check. This could lead to local escalation of privilege allowing users to access non-VPN networks, when they are supposed to be restricted to the VPN networks, with...