CVE-2026-30796 RustDesk Client Transmits Preset Address Book Password Verbatim in Heartbeat Sync

Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Address book sync, Heartbeat sync loop modules allows Sniffing Attacks. The client places the preset...

CVE-2026-30796 RustDesk Client Transmits Preset Address Book Password Verbatim in Heartbeat Sync

Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Address book sync, Heartbeat sync loop modules allows Sniffing Attacks. The client places the preset...

CVE-2026-30795 RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure

Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Heartbeat sync loop modules allows Sniffing Attacks. This vulnerability is associated with program files src/hbbshttp/sync.Rs and program routine...

CVE-2026-30792 RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings

A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient Strategy sync, HTTP API client, config options engine modules allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files...

PT-2026-23460

Cleartext Transmission of Sensitive Information vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android Heartbeat sync loop modules allows Sniffing Attacks. This vulnerability is associated with program files src/hbbs http/sync.Rs and program routin...

PT-2026-23457

Name of the Vulnerable Software and Affected Versions RustDesk Client versions through 1.4.5 Description A flaw exists in RustDesk Client on Windows, MacOS, Linux, iOS, Android, and WebClient that allows manipulation of Application API Messages through a Man-in-the-Middle attack. The issue is...

RUSTSEC-2026-0036 `time-sync` was removed from crates.io due to malicious code

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005413)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005413 advisory. In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimcishwchangemode In fimcishwchangemode,...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005513)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005513 advisory. In the Linux kernel, the following vulnerability has been resolved: ocfs2: cancel dqisyncwork before freeing oinfo ocfs2globalreadinfo will initialize and schedule...

CVE-2025-58107

In Microsoft Exchange through 2019, Exchange ActiveSync EAS configurations on on-premises servers may transmit sensitive data from Samsung mobile devices in cleartext, including the user's name, e-mail address, device ID, bearer token, and base64-encoded password...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005805)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005805 advisory. In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimcishwchangemode In fimcishwchangemode,...

CVE-2025-58107

CVE-2025-58107 affects on-premises Microsoft Exchange environments up to 2019, specifically Exchange ActiveSync (EAS) configurations. The issue is that EAS configs may transmit sensitive data from Samsung mobile devices in cleartext, including the user’s name, email address, device ID, bearer tok...

CVE-2026-27638

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budge...

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

In multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Affected Code File:...

EUVD-2026-8905

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode...

GHSA-QMJJ-P7M9-WJRV @actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

In multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Affected Code File:...

Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the /sync/ endpoints due to missing verification that the authenticated user owns or has access to the targeted file. An attacker can access, modify, or...

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

In multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID...

CVE-2026-27638

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budge...

CVE-2026-27638 ActualBudget missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budge...