EUVD-2026-38712

In the Linux kernel, the following vulnerability has been resolved: netfilter: nflog: validate MAC header was set before dumping it The fallback path of dumpmacheader guards the MAC header access only with "skb-macheader != skb-networkheader", without checking skbmacheaderwasset. When the MAC...

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Do not return “unset power” in ieee80211gettxpower. We may receive a UBSAN warning if ieee80211gettxpower returns the INTMIN value that mac80211 internally uses for “unset power level”. UBSAN:...

GHSA-J9GF-VW2F-9HRW Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation

Summary A configuration-dependent origin validation bypass was identified in Appsmith’s password reset and email verification flows on current release. Both flows derive the email-link base URL from the request Origin header. The current validation only enforces a trusted base URL when...

lodash: prototype pollution in _.unset and _.omit functions

A flaw was found in Lodash. A prototype pollution vulnerability in the .unset and .omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service...

CVE-2026-41844 Spring Framework Open Redirect in Spring MVC and WebFlux

A Spring MVC or Spring WebFlux application which configures a mapping for "/" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through...

Security Bulletin: Langflow OSS affected by vulnerabilies in Lodash versions 4.17.23 and earlier

Summary Langflow OSS affected by vulnerabilies in Lodash versions 4.17.23 and earlier Vulnerability Details CVEID:CVE-2026-2950 DESCRIPTION: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit functions. The fix for CVE-2025-13465:...

lodash: prototype pollution in _.unset and _.omit functions

A flaw was found in Lodash. A prototype pollution vulnerability in the .unset and .omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service...

Security Bulletin: Due to use of lodash-es-4.17.21.tgz, IBM Sterling Connect:Direct Web Services is vulnerable to prototype pollution in the _.unset and _.omit functions.

Summary lodash-es-4.17.21.tgz is used by IBM Sterling Connect:Direct Web Services CVE-2025-13465, CVE-2026-2950. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacker can...

PT-2026-45064

Summary Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORM JWT SECRET is unset. A safety check exists but only fires when PLATFORM ENV != "dev"; the default value of PLATFORM ENV is "dev", so the check is silentl...

RLSA-2026:18868 Important: linux-sgx security update

The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX enabled applications in C/C++. Security Fixes: qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-15284 node-tar: tar: node-ta...

rustfs 安全漏洞

RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS prior to 1.0.0-beta.2 contained a security vulnerability. This vulnerability arises when RUSTFSCORSALLOWEDORIGINS is not set; in such cases, ConditionalCorsLayer reflects the Origin value and sets a relaxed...

PT-2026-44473

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS CORS ALLOWED ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true a...

CVE-2026-44830

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

CVE-2026-44830

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

CVE-2026-44830 Empty API_TOKEN disables authentication on network-reachable HTTP/SSE transport

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

CVE-2026-45965

apparmor: fix invalid deref of rawdata when exportbinary is unset...

CVE-2026-7798 FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter

The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for...

CVE-2026-7798

The CVE-2026-7798 entry concerns the FluentCRM WordPress plugin (versions up to and including 2.9.87). A Blind Server-Side Request Forgery exists via the SubscribeURL parameter, enabling unauthenticated actors to make web requests from the application to internal/internal-facing targets and poten...

SUSE CVE-2021-25736

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port “spec.ports.port” as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress.ip” field. Clusters where the LoadBalancer controller sets the...

Astra Linux - уязвимость в linux-5.10, linux

In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fixed bugs that occurred outside the bounds of the allowed values, caused by the absence of skb-macheader. If an AFPACKET socket is used to send packets through ipvlan, and the default xmit function of the AFPACKET socket...