CVE-2026-45688 Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOneid: ... query...

RHEL 9 : .NET 8.0 (RHSA-2026:13693)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:13693 advisory. .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR...

EUVD-2026-15157

A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps...

CVE-2026-31968

HTSlib CRAM decoder (CVE-2026-31968) has incomplete validation in the VARINT and CONST encodings, which can cause writes past heap allocations or a stack byte, potentially enabling heap or stack corruption and, in some streams, arbitrary code execution. Affected versions are 1.23.1, 1.22.2, and 1...

EUVD-2020-1418

Malware in sbrugna...

EUVD-2016-7459

Malware in sbrugna...

EUVD-2022-3276

Malicious code in bioql PyPI...

PT-2025-86: Disclosure of confidential data via controller configuration request in Fastwel PLC web server

The vulnerability was identified in Fastwel programmable controllers, versions 3.4.5.0 CPM810-03, 3.4.9.1 СPM723-01. The discovered vulnerability can be exploited by an attacker to obtain administrator‑level privileges. Vulnerability status: Confirmed by vendor Date of vulnerability remediation:...

Advisory ROSA-SA-2025-2929

software: ghostscript 9.56.1 OS: ROSA-CHROME unaffected versions = ghostscript-9.56.1-2 affected versions ghostscript-9.56.1-2 CVE-ID: CVE-2025-27830 BDU-ID: 2025-03710 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the base/writet1.c and psi/zfapi.c files of the DollarBlend component of the...

CVE-2022-22664

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Logic Pro 10.7.3, GarageBand 10.4.6, macOS Monterey 12.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution...

CVE-2022-24820

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and...

RHEL 8 : .NET 8.0 (RHSA-2025:7589)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:7589 advisory. .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. N...

TIBCO Security Advisory: May 13, 2025 - TIBCO BPM Enterprise - CVE-2025-2261

TIBCO BPM Enterprise XSS Vulnerability Original release date: May 13, 2025 Last revised: --- CVE-2025-2261 Source: TIBCO Software Inc. Products Affected TIBCO BPM Enterprise Component Affected TIBCO ActiveMatrix Administrator Description Stored XSS occurs when a web application gathers input from...

About Remote Code Execution – Erlang/OTP (CVE-2025-32433) vulnerability

About Remote Code Execution - Erlang/OTP CVE-2025-32433 vulnerability. Erlang is a programming language used to build massively scalable soft real-time systems with requirements for high availability. Used in telecom, banking, e-commerce, telephony, and messaging. OTP is a set of Erlang libraries...

CVE-2025-30425

CVE-2025-30425 affects Apple Safari and related OS components. A state-management issue in Safari’s handling of private browsing could allow a malicious website to track users in Private Browsing mode. The root cause is described as an issue with state management; no exploitation details are prov...

CVE-2025-29788 Sylius PayPal Plugin Payment Amount Manipulation Vulnerability

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after...

Kibana 7.17.23/8.15.0 Security Updates (ESA-2024-32, ESA-2024-33)

Kibana allocation of resources without limits or throttling leads to crash ESA-2024-33 An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the...

TIBCO Security Advisory: November 19, 2024 - TIBCO API Exchange Gateway - CVE-2024-10514

TIBCO APIX - XML External Entity XXE Injection Vulnerability Original release date: November 19, 2024 Last revised: --- CVE-2024-10514 Source: TIBCO Software Inc. Products Affected TIBCO API Exchange Gateway 2.4.0 and 2.5.0 Component Affected API Exchange Gateway Description The TIBCO API Exchang...

Security Bulletin: Security vulnerability found in packages shipped with IBM CICS TX Advanced

Summary Security vulnerability found in packages cURL, krb5 and Python shipped with IBM CICS TX Advanced. The versions of the packages have been updated. Vulnerability Details CVEID:CVE-2024-37370 DESCRIPTION: MIT Kerberos 5 aka krb5 could allow a remote attacker to bypass security restrictions,...

TIBCO Security Advisory: March 12, 2024 - TIBCO FTL - CVE-2024-1138

TIBCO FTL Privilege Escalation Original release date: March 12, 2024 Last revised: --- Source: TIBCO Software Inc. Products Affected TIBCO FTL - Enterprise Edition versions 6.10.1 and below The following component is affected: FTL Server Description The component listed above contains a...