SUSE CVE-2026-45108

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...

@antv/ava (=3.6.0-alpha.0), @antv/gpt-vis (>=0.0.1 <=0.6.1) +31 more potentially affected by unknown CVE via @antv/l7-draw (=3.1.5)

@antv/l7-draw NPM version =3.1.5 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/l7-draw and may be impacted: - @antv/ava =3.6.0-alpha.0 - @antv/gpt-vis =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.9.9, =0.1.1, =1.0.0, =1.0.2, =1.0.2, =0.0.1, =0.0.1, =0.0....

CVE-2026-41901

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous...

PT-2026-36947

Name of the Vulnerable Software and Affected Versions Thymeleaf versions prior to 3.1.5.RELEASE Description A security bypass exists in the expression execution mechanisms of Thymeleaf. The library fails to properly neutralize specific constructs within sandboxed restricted contexts, allowing...

CVE-2026-5694

The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

CVE-2026-5694 Quick Interest Slider <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting

The Quick Interest Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'loan-amount' and 'loan-period' parameters in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

CVE-2026-32313

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover...

EUVD-2026-15681

Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through 3.1.5...

WordPress plugin Pendulum 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

PT-2026-27920

Name of the Vulnerable Software and Affected Versions rascals Pendulum versions prior to 3.1.5 Description An issue exists in rascals Pendulum that allows for Object Injection due to deserialization of untrusted data. This impacts the Pendulum software. Recommendations Update to a version of...

CVE-2026-32313

CVE-2026-32313 affects the PHP library xmlseclibs (XML Encryption/Signatures). Prior to version 3.1.5, nodes encrypted with AES-128/192/256-GCM lack validation of the authentication tag length, enabling an attacker to brute-force the tag, recover the GHASH key, and decrypt encrypted nodes. The vu...

PT-2026-25372

Summary XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts...

CVE-2026-32237 @backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint

Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview @backstage/plugin-scaffolder-backend is a The Backstage backend plugin that helps you create new things Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the dry-run endpoint when secrets configured in...

Important: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 3.1.5

Red Hat OpenShift Service Mesh 3.1.5 This update has a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. Red Hat OpenShift Service Mesh 3.1....

CVE-2026-27199

Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safejoin function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that...

Malicious code in search-newfrontier-podlet (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6e41804eeb58691ca7b68763c0db9e48636ffeb9d7020d95bbc9d9e9aec6e76 The package search-newfrontier-podlet was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-24961

Server-Side Request Forgery SSRF vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery.This issue affects Grand Blog: from n/a through 3.1.5...

WordPress plugin Grand Blog 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...