CVE-2026-44825

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

CVE-2026-40961

A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the issafeurl check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to apache-airflow 3.2.2 or later. As a defense-in-dept...

PYSEC-2026-185

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

CVE-2026-44825

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...

CVE-2026-41017

Apache Airflow's JWTRefreshMiddleware set the JWT auth cookie without the Secure flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default...

EUVD-2026-33590

A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking e.g. nested password / token / secret / apikey keys inside a JSON template structure to be bypassed when the rendered field exceeded core maxtemplatedfieldlength: Airflow stringified the structure befor...

CVE-2026-46764

The Event Log detail endpoint GET /api/v2/eventLogs/eventlogid in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint GET /api/v2/eventLogs applied per-Dag scoping. An authenticated UI/API user with audit-lo...

EUVD-2026-33580

A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster e.g...

CVE-2026-42253 Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow...

CVE-2026-46605

Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, fr...

CVE-2026-49157 Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin low-privilege web-login accounts access to Jolokia operations which allowed executing broker...

EUVD-2026-33573

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all...

[SECURITY] [DSA 6313-1] dovecot security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6313-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 31, 2026 https://www.debian.org/security/faq -...

[SECURITY] [DLA 4609-1] imagemagick security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4609-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès May 30, 2026 https://wiki.debian.org/LTS -...

CVE-2026-39824 affecting package azurelinux-image-tools for versions less than 1.4.0-1

CVE-2026-39824 affecting package azurelinux-image-tools for versions less than 1.4.0-1. An upgraded version of the package is available that resolves this issue...

Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by a vulnerability in axios (CVE-2026-25639)

Summary A Denial of Service vulnerability in the axios library CVE-2026-25639 used by IBM InfoSphere Optim Archive Viewer has been addressed by upgrading the library to version 1.15.0. Vulnerability Details CVEID:CVE-2026-25639 DESCRIPTION: Axios is a promise based HTTP client for the browser and...

GHSA-9VP8-3HMV-8FGH stigmem-node's federation peer registration lacked explicit out-of-band approval

Impact Federation peer registration accepted peer key material during registration without a separate administrator approval step based on an out-of-band fingerprint check. Impacted deployments are nodes that accept federation peer registration across a network where initial registration could be...

stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation

Impact Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and...

Incorrect Authorization

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Incorrect Authorization through insufficient authorization checks in the renameFile process. An attacker can modify file names and...