HCL Aftermarket DPC 安全漏洞

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. A security vulnerability exists in HCL Aftermarket DPC, which can be exploited by an attacker to execute arbitrary commands or inject harmful content based on the way the web application handles split...

Usability of Passwordless Authentication in Wi-Fi Networks: A Comparative Study of Passkeys and Passwords in Captive Portals

Passkeys have recently emerged as a passwordless authentication mechanism, yet their usability in captive portals remains unexplored. This paper presents an empirical, comparative usability study of passkeys and passwords in a Wi-Fi hotspot using a captive portal. We conducted a controlled...

CVE-2026-23351

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftsetpipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible...

PT-2026-27681

In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix ARM64 alignment fault in multipath hash seed struct sysctl fib multipath hash seed contains two u32 fields user seed and mp seed, making it an 8-byte structure with a 4-byte alignment requirement. In fib multipath...

CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

GHSA-PW4V-X838-W5PG AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

Summary The HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths — one for authorization which truncates at the...

AVideo has an Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

Summary The HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths — one for authorization which truncates at the...

PT-2026-26470

Summary The HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths — one for authorization which truncates at the...

EUVD-2026-12833

apko affected by unbounded resource consumption in expandapk.Split on attacker-controlled .apk streams...

PT-2026-24623

Summary At the rate limit filter, if we enabled the response phase limit with apply on stream done in the rate limit configuration and the response phase limit request fails directly, it may crash Envoy. Details When both the request phase limit and response phase limit are enabled, the safe gRPC...

ROS-20260310-73-0014

A vulnerability in the Split View component of Google Chrome browser is related to information presentation errors in the user interface. Exploitation of the vulnerability could allow a remote attacker to conduct spoofing attacks...

CLSA-2026-1772815097 Fix of 72 CVEs

CVE-2025-38699 - scsi: bfa: Double-free fix CVE-2025-38699 CVE-2025-38697 - jfs: upper bound check of tree index in dbAllocAG CVE-2025-38697 CVE-2025-39823 - KVM: x86: use arrayindexnospec with indices that come from guest CVE-2025-39823 CVE-2025-39689 - ftrace: Also allocate and copy hash for...

CVE-2026-26514

An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags e.g., -w, -q via the q parameter. This can be exploited to cause a Denial of Service D...

CVE-2026-26514

CVE-2026-26514 affects bird-lg-go prior to commit 6187a4e3afce6d8c29568f8c72ca497d1f5a2b56. The traceroute module parses user input with shlex.Split without validation, enabling an attacker to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can lead to Denial of Service (DoS) by e...

CVE-2026-26514

An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags e.g., -w, -q via the q parameter. This can be exploited to cause a Denial of Service D...

CVE-2026-25673 Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.topython in Django calls urllib.parse.urlsplit, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial o...

CVE-2026-28556

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topicmove, topicmerge, and topicsplit form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without...

EUVD-2026-9105

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topicmove, topicmerge, and topicsplit form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without...

CVE-2026-28556

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topicmove, topicmerge, and topicsplit form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without...

CVE-2026-28556 wpForo Forum 2.4.14 Missing Authorization via Topic Management Form Handlers

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topicmove, topicmerge, and topicsplit form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without...