CLSA-2026-1777884162 Fix CVE(s): CVE-2018-8014

Fix build process: - debian/keystores/ca-cert.pem, ca.jks: regenerate self-signed test CA using the existing ca-key.pem previous CA valid only until 21.03.2025. New validity: 21.04.2026 to 18.04.2036. - debian/keystores/localhost-cert.pem, localhost.jks, localhost-copy1.jks: re-issue against the...

CVE-2026-23264

In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" This reverts commit 7294863a6f01248d72b61d38478978d638641bee. This commit was erroneously applied again after commit 0ab5d711ec74 "drm/amd: Refactor amdgpuaspm to be...

CVE-2023-54008

CVE-2023-54008 affects the Linux kernel virtio_vdpa path where affinity masks are built unconditionally via create_affinity_masks(). The issue arises from potentially incorrect affinity handling when CPUs, groups, or devices (e.g., networking) exceed available CPUs, triggering a warning in group_...

MAL-2025-66548 Malicious code in supports-validation-checkerlib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 781852f3dbd6b5aad45817413559a7dece6950db6702bc4d70d20904897bb099 The package supports-validation-checkerlib was found to contain malicious code. Source: ghsa-malware...

Malicious code in supports-validation-checkerlib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 781852f3dbd6b5aad45817413559a7dece6950db6702bc4d70d20904897bb099 The package supports-validation-checkerlib was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-50839

Malicious code in supports-validation-checkerlib npm...

EUVD-2025-31830

File upload leading to remote code execution RCE in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetailimg'...

Linux Distros Unpatched Vulnerability : CVE-2025-39921

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - spi: microchip-core-qspi: stop checking viability of op-maxfreq in supportsop callback In commit 13529647743d9 spi: microchip-core-qspi: Support per spi-mem...

CVE-2025-10692

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user level ≥ 1 can inject SQL to alter the filter logic, effectively bypassing department scoping...

CVE-2025-10695

Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission = 'any', enabling unauthenticated SSRF for internal network scanning and service interaction. This issue affects...

CVE-2025-10696

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party the target user, who can then view the...

CVE-2025-10692

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user level ≥ 1 can inject SQL to alter the filter logic, effectively bypassing department scoping...

CVE-2025-10692

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user level ≥ 1 can inject SQL to alter the filter logic, effectively bypassing department scoping...

CVE-2025-10695 OpenSupports 4.11.0 — SSRF via test imap and smtp endpoints

Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission = 'any', enabling unauthenticated SSRF for internal network scanning and service interaction. This issue affects...

CVE-2025-10696

CVE-2025-10696 affects OpenSupports 4.11.0. An endpoint allows editing the list of 'supervised users' for any account without verifying ownership, enabling a Level 1 staff member to modify the supervision relationship of a target user. This can let the target view tickets belonging to the added s...

CVE-2025-10696 OpenSupports 4.11.0 — Insecure Direct Object Reference in supervised list

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party the target user, who can then view the...

EUVD-2025-32372

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user level ≥ 1 can inject SQL to alter the filter logic, effectively bypassing department scoping...

PT-2025-40597

Name of the Vulnerable Software and Affected Versions OpenSupports versions 4.11.0 Description The application’s API endpoint, /api/staff/get-new-tickets, directly incorporates the user-supplied parameter departmentId into a SQL query without proper sanitization. This allows an authenticated staf...

PT-2025-40598

Name of the Vulnerable Software and Affected Versions OpenSupports version 4.11.0 Description Two unauthenticated diagnostic endpoints permit arbitrary backend-initiated network connections to a destination specified by an attacker. These endpoints are accessible without authentication due to a...

CVE-2025-39921

In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: stop checking viability of op-maxfreq in supportsop callback In commit 13529647743d9 "spi: microchip-core-qspi: Support per spi-mem operation frequency switches" the logic for checking the viability of...