Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in golang.org/x/net-v0.48.0

Summary IBM Watson Discovery Cartridge affected by vulnerability in golang.org/x/net-v0.48.0 Vulnerability Details CVEID:CVE-2026-33814 DESCRIPTION: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE...

CVE-2026-41075

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing th...

actscene-ocr (>=0.1.3 <=0.1.5), agent-zero (>=0.1.0 <=0.1.2) +78 more potentially affected by CVE-2026-44660 via ujson (>=5.0.0 <=5.12.0)

ujson PYPI version =5.0.0, =0.1.3, =0.1.0, =0.1.0, =0.1.0, =0.1.0a2, =2.2.0, =6.2.0.dev68, =0.1.0, =0.0.23, =0.1.0, =2.0.12, =0.0.59, =0.1.0, =8.124.0, =8.125.0 and more Source cves: CVE-2026-44660 Source advisory: SNYK:PYTHON-UJSON-16643463...

CVE-2026-40982

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in cryptography-46.0.4-cp38-abi3-manylinux_2_34_x86_64.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in cryptography-46.0.4-cp38-abi3-manylinux234x8664.whl Vulnerability Details CVEID:CVE-2026-26007 DESCRIPTION: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5,...

CVE-2026-1726

IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1...

PT-2026-34578

IBM Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2, 4.2.1, 5.0, and 5.1...

EUVD-2026-23784

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied...

CVE-2026-39347

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability...

CVE-2026-39348

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifier...

CVE-2026-39345 OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This...

EUVD-2026-8517

The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-http2-4.1.118.Final.jar

Summary IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-http2-4.1.118.Final.jar Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerabl...

CVE-2025-67719

Summary: CVE-2025-67719 affects Ibexa’s User Bundle in the Ibexa DXP. Versions 5.0.0-beta1–5.0.3 lack proper password-change validation due to an error introduced during the v4→v5 transition, allowing a logged-in attacker with an unattended session to change a user’s password without knowing the ...

CVE-2025-66224 OrangeHRM is Vulnerable to Code Execution Through Arbitrary File Write from Sendmail Parameter Injection

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because these...

TencentOS Server 4: python-django (TSSA-2025:0857)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0857 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

argus-notification-msteams (=0.5.1), argus-server (>=1.0.0 <=1.22.1) +97 more potentially affected by CVE-2025-61783 via social-auth-app-django (>=5.0.0 <=5.4.3)

social-auth-app-django PYPI version =5.0.0, =1.0.0, =1.0.0, =4.14.0, =0.4.3, =0.8.7, =0.0.2a17, =1.0.0, =1.0.0, =1.2.0, =4.8.0, =0.0.2, =1.0.0, =1.1.0 and more Source cves: CVE-2025-61783 Source advisory: SNYK:PYTHON-SOCIALAUTHAPPDJANGO-13512562...

CVE-2025-36225 IBM Aspera Faspex information disclosure

IBM Aspera 5.0.0 through 5.0.13.1 could disclose sensitive user information from the system to an authenticated user due to an observable discrepancy of returned data...

BIT-MONGODB-2025-6707 Race condition in privilege cache invalidation cycle

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior ...

Best Practical RT 跨站脚本漏洞

Best Practical RT is a request tracker from Best Practical, Inc. A cross-site scripting vulnerability exists in Best Practical RT versions 4.4 through 4.4.7 and 5.0 through 5.0.7, which stems from the injection of specially crafted parameters in the search URL that could lead to cross-site...