OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode

A flaw was found in OpenSSH. When the scp command is used by a root user to download a file with the legacy protocol option -O and without preserving original file permissions -p, the downloaded file can be installed with elevated privileges setuid or setgid. This unexpected behavior could allow ...

SUSE CVE-2026-38978

transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths...

Exploit for CVE-2026-46243

cifswitch-check A shell script to check whether a Linux syste...

CVE-2026-45155

A flaw was found in Nextcloud Server. A missing access check at the API Application Programming Interface level could allow an authenticated attacker, who has access to a circle ID from another source, to add unknown circles to other circles. This could lead to the disclosure of circle membership...

PT-2026-45917

The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

PT-2026-45954

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting XSS via Social Media links in user profile...

PT-2026-45918

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

PT-2026-45925

A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root...

CVE-2026-36748

RockRMS vulnerability CVE-2026-36748 affects v16.13 and earlier of RockRMS up to v17.7.0, allowing Cross Site Scripting (XSS) via social media links in a user profile. The connected documents confirm the affected product version range and the XSS impact, but do not provide rooted technical detail...

Linux Distros Unpatched Vulnerability : CVE-2026-47327

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggere...

RockyLinux 10 : corosync (RLSA-2026:19043)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19043 advisory. corosync: Corosync: Denial of Service and information disclosure via crafted UDP packet CVE-2026-35091 corosync: Corosync: Denial of Service via intege...

PT-2026-45908

Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...

PT-2026-45921

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

PT-2026-46044

Name of the Vulnerable Software and Affected Versions ERPNext version 16.16.0 Description An authenticated user can persist arbitrary HTML or JavaScript within the email id or mobile no fields of a Customer record. This leads to unescaped rendering in the Point of Sale POS interface for any...

UBUNTU-CVE-2026-5385

An unauthenticated user with write access to the knowledge base can st...

Linux Distros Unpatched Vulnerability : CVE-2026-46183

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - mm/damon/sysfs-schemes: protect path kfree with damonsysfslock damonsysfsquotgoal-path can be read and written by users, via DAMON sysfs 'path' file. It can als...

PT-2026-45922

The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input...

PT-2026-46306

Name of the Vulnerable Software and Affected Versions matrix-sdk-ui versions prior to 0.16.1 Description The message edit validation logic is missing a check when replacing an encrypted event, as the replacement event is not required to be encrypted. This allows a malicious homeserver administrat...

CVE-2026-36748

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting XSS via Social Media links in user profile...

PT-2026-45920

The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...