Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare

Drupal has issued an alert stating that it intends to release a "core security release" for all supported branches on May 20, 2026, from 5-9 p.m. UTC. "The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days," the...

EUVD-2023-46797

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet...

GHSA-8GPV-C454-3HFC Alkacon OpenCms is vulnerable to XSS via cmis-online/type

A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type...

EUVD-2026-26986

VM2 Has Sandbox Breakout Through Promise Species...

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the resetPromiseSpecies function. An attacker can execute arbitrary commands on the host system by escaping from the...

Astra Linux – Vulnerability in Mariadb 10.3

MariaDB version 10.5.9 allows an application to crash during subselectpostjoinaggr when a NULL value is used for aggr...

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal via the ToolConfigModel tool and config name handling in the Ruby and Python models. An attacker can write or delete arbitrary files within the shared /plugins directory by supplying tool or config names containi...

CVE-2025-36375

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and...

CVE-2025-36375 IBM DataPower Gateway vulnerable to CSRF

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and...

CVE-2025-36375 IBM DataPower Gateway vulnerable to CSRF

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and...

CVE-2025-36375

CVE-2025-36375 affects IBM DataPower Gateway with a CSRF vulnerability. Affected versions include: 10.6CD 10.6.1.0–10.6.5.0 , 10.5.0 10.5.0.0–10.5.0.20 , and 10.6.0 10.6.0.0–10.6.0.8 . Root cause: failure to properly validate the source of a request, enabling an attacker to induce a user to perfo...

CVE-2026-33013 Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in...

CVE-2026-33013 Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in...

CVE-2026-3589 WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example...

CVE-2026-27574

OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module explicitly documented as not a security mechanism to execute user-supplied code, allowing trivial sandbox escape via a well-known...

CVE-2025-15579

CVE-2025-15579 describes an insecure deserialization vulnerability in OpenText Directory Services (versions 10.5–26.1) that enables Object Injection due to deserialization of untrusted data. The underlying issue is the deserialization process, which can lead to remote code execution, denial of se...

xrdp security vulnerabilities

XRDPT is an open-source remote desktop protocol server developed by Neutrinolabs. Versions of XRDPT prior to v0.10.5 contained security vulnerabilities. These vulnerabilities stemmed from improper boundary checking when processing user domain information, which could lead to stack-based buffer...

CLSA-2026-1769084608 mariadb: Fix of 5 CVEs

Updated to the 10.5.29 tarball - CVE-2025-30722: fix mariadb-dump wrong quoting character by using ' not " and using quoteforequal - CVE-2025-30693: fix incorrect undo logging for indexes on virtual columns by properly encoding/decoding large index IDs in InnoDB undo log records - CVE-2025-21490:...

MiracleLinux 8 : mariadb:10.5 (AXSA:2025-11081:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-11081:01 advisory. mysql: High Privilege Denial of Service Vulnerability in MySQL Server CVE-2025-21490 mariadb: MariaDB Server Crash Due to Empty Backtrace Log...

MiracleLinux 8 : mariadb:10.5 (AXSA:2023-6519:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6519:01 advisory. mariadb: node crashes with Transport endpoint is not connected mysqld got signal 6 CVE-2023-5157 mariadb: use-after-poison in prepareinplaceaddvirtu...