WeGIA <= 3.6.4 - Remote Code Execution

WeGIA = 3.6.5 contains a remote code execution caused by improper validation of backup file names in the database restoration functionality, letting attackers with administrative access execute arbitrary OS commands id: CVE-2026-28409 info: name: WeGIA = 3.6.4 - Remote Code Execution author:...

Mail Mint < 1.19.5 - Unauthenticated Email Disclosure

Mail Mint WordPress plugin 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication. id: CVE-2026-2025 info: name: Mail Mint 1.19.5 -...

Broadstreet WordPress plugin - Reflected XSS

Broadstreet WordPress plugin 1.51.8 contains a reflected XSS caused by unsanitised and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires victim interaction. id: CVE-2025-4652 info: name: Broadstreet WordPress plugin -...

Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation

The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the updateloggedinuser function in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers t...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty

Summary Multiple vulnerabilities in IBM WebSphere Application Server Liberty that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2026-29063 DESCRIPTION: Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and...

CVE-2026-49486 Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)

The Apache Airflow FTP provider's FTPSHook.getconn created an ftplib.FTPTLS connection but never called protp, so although the control channel was TLS-protected the data channel was transmitted in cleartext. Any deployment using FTPSHook or FTPSFileTransmitOperator to move files over FTPS exposed...

CVE-2026-49486

The CVE concerns the Apache Airflow FTP provider. The FTPSHook.get_conn() creates an ftplib.FTP_TLS connection but does not call prot_p(), leaving the data channel unencrypted even though the control channel is TLS-protected. This exposes file contents and credentials-in-transit to anyone who can...

PT-2026-52668

Name of the Vulnerable Software and Affected Versions apache-airflow-providers-ftp versions prior to 3.15.1 Description The FTPSHook.get conn function in the Apache Airflow FTP provider creates an ftplib.FTP TLS connection without calling prot p. This results in the data channel being transmitted...

Debian dsa-6366 : sogo - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6366 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6366-1 [email protected] https://www.debian.org/securit...

CVE-2026-54274

A flaw was found in aiohttp, an asynchronous HTTP client/server framework. An attacker can exploit this vulnerability by sending large, incomplete websocket frame payloads. This can bypass normal memory usage limits, potentially leading to a Denial of Service DoS where the affected system becomes...

CVE-2026-56130

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...

CVE-2026-41566

CVE-2026-41566 affects Apache Kvrocks 2.8.0 and is described as an improper handling of insufficient permissions or privileges, specifically related to the APPLYBATCH command. The issue is rated high risk (CVSS 4.0 base 9.4) with impact on confidentiality, integrity, and availability. No exploita...

CVE-2026-54226

CVE-2026-54226 — Apache Kvrocks (RESTORE IntSet Integer Overflow) * Affects Kvrocks versions 2.6.0 through 2.15.0. The entry title indicates an integer overflow in RESTORE IntSet that can lead to a remote DoS. The fix is to upgrade to version 2.16.0. No exploitation details or in-the-wild status ...

Incomplete List of Disallowed Inputs

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the...

PT-2026-51548

Name of the Vulnerable Software and Affected Versions Language Servers for AWS versions prior to 1.69.0 Description Missing symlink validation may allow an arbitrary file write outside of the workspace trust boundary. This occurs when a local user opens a workspace containing a maliciously crafte...

CVE-2025-66336 Apache Doris MCP Server: SQL injection leading the authentication bypass

Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymo...

Debian dsa-6356 : imagemagick - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6356 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6356-1 [email protected] https://www.debian.org/securit...

Fedora 44 : singularity-ce (2026-63ae478575)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-63ae478575 advisory. Upgrade to 4.4.2 upstream version. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessu...

Improper Locking

Overview Affected versions of this package are vulnerable to Improper Locking in the releasewritelock and releasereadlock functions. An attacker can disrupt synchronization guarantees and exploit data races or cause denial of service by invoking these functions from unauthorized threads or withou...

Improper Verification of Cryptographic Signature

Overview CoreWCF.Primitives is a port of the service side of Windows Communication Foundation WCF to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in...