CVE-2026-43515

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from...

Apache Druid - Server-Side Request Forgery

Server-Side Request Forgery SSRF, Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting', URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Apache Druid.This issue affects all previous Druid versions.When using the Druid management proxy, a request tha...

CVE-2026-45279 Nextcloud: Limited path traversal via template API if using `{lang}` in config

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if lang is used in the template directory config value, non-admin users can in some cases copy arbitrary files depending on unix permissions into...

CVE-2026-42588

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy...

CVE-2026-44825 Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users

Hardcoded credentials in the Basic Authentication setup tool bin/solr auth enable in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specifi...

CVE-2026-42588

Apache ActiveMQ (Broker, All, and ActiveMQ) is affected by CVE-2026-42588 via the Jolokia JMX-HTTP bridge exposed on the web console (/api/jolokia/). The vulnerability arises when an authenticated attacker uses a crafted discovery URI to trigger the VM transport’s brokerConfig parameter with a ma...

CVE-2026-46605 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal

Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, fr...

CVE-2026-49270 Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all...

Debian dsa-6301 : roundcube - security update

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6301 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6301-1 [email protected]...

PT-2026-44071

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 12.7 through 18.10.6 GitLab CE/EE versions 18.11 through 18.11.3 GitLab CE/EE versions 19.0 through 19.0.0 Description An issue exists where an authenticated user could, under certain conditions, access CI Continuous...

Session Fixation

Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Session Fixation during the login operation in...

CVE-2026-43827 Apache Shiro: Session fixation: new session is not created after login by default

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

CVE-2026-42797 Apache Syncope: JexlContextBuilder Information Disclosure

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related...

PT-2026-43119

Name of the Vulnerable Software and Affected Versions Apache Shiro versions 1.0 through 2.1.0 Apache Shiro version 3.0.0-alpha-1 Description Default configurations cause the Shiro-native session manager and the Remember-Me manager to send JSESSIONID and rememberMe cookies without the 'Secure'...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in PATCH /api/v3/core/users/pk/. An attacker can gain elevated privileges by assigning arbitrary groups, including those with administrator-equivalent permissions, to users they control or have access to,...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in PATCH /api/v3/core/users/pk/. An attacker can gain elevated privileges by assigning arbitrary groups, including those with administrator-equivalent permissions, to users they control or have access to,...

CVE-2026-44417

CVE-2026-44417 is an Apache CXF-related issue that completes the fix for CVE-2025-48913. The vulnerability arises when untrusted users can configure JMS in CXF, potentially enabling code execution. The published advisories indicate an incomplete fix previously, and upgrades are recommended to mit...

EUVD-2026-31434

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

CVE-2026-44618

Technical details for CVE-2026-44618 are not publicly available in the provided documents. The records mention an XXE vulnerability in Apache CXF WS-Transfer and upgrade versions, but no further specifics are provided. Monitor for updates.

CVE-2026-44618 Apache CXF: XXE vulnerability in WS-Transfer functionality

Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...