CVE-2026-34551

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a null-pointer dereference NPD in CIccTagLut16::Write can be triggered when processing a crafted ICC profile embedded in a TIFF and extracted during iccTiffDump. This issue has...

CVE-2026-34536

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack overflow SO in SIccCalcOp::ArgsUsed. The issue is observable under AddressSanitizer as a stack-overflow when iccApplyProfiles processes ...

CVE-2026-34535 iccDEV: SEGV in CIccTagArray::Cleanup()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a segmentation fault SEGV in CIccTagArray::Cleanup. The issue is observable under UBSan/ASan as misaligned member access / misaligned pointer...

CVE-2026-34535

iccDEV is affected by CVE-2026-34535 prior to version 2.3.1.6. A crafted ICC profile can trigger a segmentation fault in CIccTagArray::Cleanup(), observable under UBSan/ASan as misaligned member access and misaligned pointer loads followed by an invalid read, causing a process crash when running ...

CVE-2026-1579

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIALCONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink...

EUVD-2026-17666

XML Notepad is a Windows program that provides a simple intuitive User Interface for browsing and editing XML documents. Prior to version 2.9.0.21, XML Notepad does not disable DTD processing by default which means external entities are resolved automatically. There is a well known attack related...

EUVD-2026-17540

An arbitrary file overwrite vulnerability in Squareapps LLC My Location Travel Timeline v11.80 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure...

CVE-2026-33074

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher...

CVE-2026-32618 Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in...

The US Military’s GPS Software Is an $8 Billion Mess

The GPS Next-Generation Operational Control System was due for completion in 2016. Ten years later, the software for controlling the military’s GPS satellites still doesn’t work...

CVE-2026-24153

NVIDIA Jetson Linux has a vulnerability in initrd, where the nvluks trusted application is not disabled. A successful exploit of this vulnerability might lead to information disclosure...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +11 more potentially affected by CVE-2026-33579 via openclaw (>=2026.3.22 <=2026.3.24)

openclaw NPM version =2026.3.22, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 Source cves: CVE-2026-33579 Source advisory: SNYK:JS-OPENCLAW-15857165...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +11 more potentially affected by CVE-2026-34504 via openclaw (>=2026.3.22 <=2026.3.24)

openclaw NPM version =2026.3.22, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 Source cves: CVE-2026-34504 Source advisory: SNYK:JS-OPENCLAW-15857162...

CVE-2026-34237

CVE-2026-34237 affects MCP Java SDK. A hardcoded wildcard CORS configuration (Access-Control-Allow-Origin: *) existed in versions before 0.83.0, 1.0.1, and 1.1.1, allowing cross-origin requests to server endpoints (including SSE paths). The issue has been patched in those versions (0.83.0, 1.0.1,...

CVE-2026-34210 mppx has Stripe charge credential replay via missing idempotency check

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new...

CVE-2026-4317 SQL inyection in Umami Software application

SQL inyection SQLi vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by includin...

CVE-2026-4317

SQL inyection SQLi vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by includin...

CVE-2026-4317 SQL inyection in Umami Software application

SQL inyection SQLi vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands in the database.Specifically, they could manipulate the value of the 'timezone' request parameter by includin...

CVE-2026-4317

CVE-2026-4317 describes an SQL injection in the Umami Software web application where an improperly sanitized timezone parameter is interpolated directly into SQL queries (potentially via prisma.rawQuery/prisma.$queryRawUnsafe or raw queries with ClickHouse). This authenticated-access vulnerabilit...

BELL-CVE-2026-5121 CVE-2026-5121 does not affect BellSoft software

Bulletin has no description...