Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007417)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007417 advisory. In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvsworkqueue During the detaching of Marvell's SAS/SATA...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007495)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007495 advisory. In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fssyncinodemeta syzbot reported an UAF issue as below: 1 2 1...

GHSA-JP74-MFRX-3QVH Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Summary A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and...

Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Summary A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and...

@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.8.2) +11 more potentially affected by CVE-2026-6270 via @fastify/middie (>=9.0.2 <=9.3.1)

@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-6270 Source advisory: SNYK:JS-FASTIFYMIDDIE-16098213...

Azure File Sync Agent v22.3 Release – April 2026 (KB5087090)

Azure File Sync Agent v22.3 Release – April 2026 KB5087090...

Azure File Sync Agent v22.3 Release – April 2026 (KB5087090)

Azure File Sync Agent v22.3 Release – April 2026 KB5087090...

Azure File Sync Agent v22.3 Release – April 2026 (KB5087090)

Azure File Sync Agent v22.3 Release – April 2026 KB5087090...

Azure File Sync Agent v22.3 Release – April 2026 (KB5087090)

Azure File Sync Agent v22.3 Release – April 2026 KB5087090...

SUSE SLED15 / SLES15 Security Update : xorg-x11-server (SUSE-SU-2026:1330-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1330-1 advisory. - CVE-2026-33999: XKB Integer Underflow in XkbSetCompatMap bsc1260922. - CVE-2026-34000: XKB Out-of-bounds Rea...

Timing Attack

Overview @sync-in/server is a The secure, open-source platform for file storage, sharing, collaboration, and syncing Affected versions of this package are vulnerable to Timing Attack via the login process. An attacker can obtain valid usernames by measuring differences in response times from the...

CVE-2026-3649

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportalpopupshortcode function is registered as an AJAX handler via wpajaxkatalogportalshortcodePrinter but lacks any capability check currentusercan or nonc...

WordPress Katalogportal-pdf-sync Widget plugin <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action vulnerability

Missing Authorization to Authenticated Subscriber+ Information Disclosure via 'katalogportalshortcodePrinter' AJAX Action vulnerability discovered by Poli - CMC Global in WordPress Plugin Katalogportal-pdf-sync Widget versions = 1.0.0...

WordPress plugin Katalogportal PDF Sync 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

PT-2026-37110

Name of the Vulnerable Software and Affected Versions Sync-in Server versions prior to 2.2.0 Description A logic flaw in the "/api/auth/login" endpoint allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This timing discrepancy occurs...

UBUNTU-CVE-2026-34001

A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially...

CVE-2026-39705

Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through = 1.4.4...

CVE-2026-32281 vulnerabilities

Vulnerabilities for packages: kine, oras, memcached-exporter, terraform, victoriametrics-cluster, kubeflow-katib, terraform-provider-kubernetes, rancher-loglevel, bank-vaults, influx, rancher-telemetry, helm-set-status, opentofu, aws-flb-kinesis, kapp, rancher-system-upgrade-controller, spegel,...

GHSA-32PV-MPQG-H292 Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read

Summary Two unauthenticated path traversal vulnerabilities exist in Saltcorn's mobile sync endpoints. The POST /sync/offlinechanges endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the serve...

Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read

Summary Two unauthenticated path traversal vulnerabilities exist in Saltcorn's mobile sync endpoints. The POST /sync/offlinechanges endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the serve...