CVE-2026-6643

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf and passing user-controlled data directly to printf. Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to...

CVE-2026-6643 A stack-based buffer overflow vulnerability in the VPN Clients on the ADM

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf and passing user-controlled data directly to printf. Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to...

CVE-2026-32965

Initialization of a resource with an insecure default vulnerability exists in SD-330AC and AMC Manager provided by silex technology, Inc. When the affected device is connected to the network with the initial factory-default configuration, the device can be configured with the null string password...

PraisonAI has an unspecified vulnerability

PraisonAI is a low-code multi-intelligent body collaboration framework. PraisonAI suffers from a security vulnerability that stems from the fact that the three-layer sandboxing of the executecode function can be completely bypassed, which can be exploited by an attacker to cause the execution of...

CVE-2026-40489

editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ecglob that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directo...

PT-2026-33640

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2026-03b Description A second-order SQL injection exists in the Mailcow API. The endpoint '/api/v1/add/mailbox' stores the quarantine category variable without proper validation or sanitization. This value...

Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-39956)

The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2026-39956 advisory. - jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9...

CVE-protobufjs-GHSA-xq3m-2v4x-88gg

GHSA-xq3m-2v4x-88gg: protobuf.js Remote Code Execution Critic...

Cross-Site Request Forgery (CSRF)

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to weak CSRF token validation relying on hash collisions in String.hashCode, which allows an attacker to forge requests with colliding tokens and perform unauthorized actions without the victim’s consent...

CVE-2026-40482

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0...

GHSA-P6X5-P4XF-CC4R Remote Code Execution (RCE) via String Literal Injection into math-codegen

Impact String literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flo...

Remote Code Execution (RCE) via String Literal Injection into math-codegen

Impact String literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flo...

[slackware-security] cups

New cups packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/cups-2.4.17-i586-1slack15.0.txz: Upgraded. This update fixes security issues: The scheduler treated local user and group names as...

CVE-2026-34232

The CVE concerns Firebird (open-source RDBMS). Vulnerability: in affected releases prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function fails to handle the isc_arg_cstring type when decoding an op_response packet, allowing an unauthenticated attacker to crash the server by sending a...

CVE-2026-34232

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdrstatusvector function does not handle the iscargcstring type when decoding an opresponse packet, causing a server crash when one is encountered in the status vector. An...

OESA-2026-1981 jq security update

jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want. Security Fixes: jq is ...

jq: Integer overflow in jvp_string_append() allows Heap-based Buffer Overflow

...

PT-2026-33526

ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007608)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007608 advisory. In the Linux kernel, the following vulnerability has been resolved: soc: qcom: qmiencdec: Restrict string length in decode The QMI TLV value for strings in a lot of...

[SECURITY] Fedora 44 Update: kf6-kcodecs-6.25.0-1.fc44

KDE Frameworks 6 Tier 1 addon with string manipulation methods...