CVE-2026-39999

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which...

EUVD-2026-37896

In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory use-after-free...

CVE-2026-54196

Subscriber Privilege Escalation in JetFormBuilder = 3.6.1 versions...

CVE-2025-69139

Unauthenticated Arbitrary File Deletion in Car Zone = 3.7 versions...

[SECURITY] Fedora 44 Update: vmod-uuid-1.10-31.fc44

UUID Varnish vmod used to generate a uuid, including versions 1, 3, 4 and 5 as specified in RFC 4122. See the RFC for details about the various versions...

CVE-2026-45300

CVE-2026-45300 affects AsyncHttpClient: vulnerable in the 2.x branch before 2.15.0 and the 3.x branch before 3.0.10. When following cross-origin redirects, propagatedHeaders() strips Authorization and Proxy-Authorization but leaves Cookie intact, causing session cookies and other sensitive cookie...

Security Bulletin: A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. (CVE-2026-4096)

Summary A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. Version 3.0.7 addresses the vulnerability. Vulnerability Details CVEID:CVE-2026-4096 DESCRIPTION: IBM DevOps Plan is vulnerable t...

WordPress Livemesh SiteOrigin Widgets plugin <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Livemesh SiteOrigin Widgets versions = 3.9.2...

WordPress Avada (Fusion) Builder plugin <= 3.15.2 - Unauthenticated Remote Code Execution vulnerability

Unauthenticated Remote Code Execution vulnerability discovered by ? in WordPress Plugin Fusion Builder versions = 3.15.2...

NPM: vm2 Has a Sandbox Breakout Using Async Generator

NPM: vm2 Has a Sandbox Breakout Using Async Generator vulnerability discovered by ? in WordPress Npm vm2 versions = 3.11.2...

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment

NPM: FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

CVE-2026-41683

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

JLSEC-2026-257 Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client...

Issue summary: If an application using the SSLCIPHERfind function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Servic...

CVE-2026-41988

A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected...

WordPress myCred plugin <= 3.0.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin myCred versions = 3.0.3...

CVE-2026-41907

uuid is for the creation of RFC9562 formerly RFC4122 UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes small buf or large offset. This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0...

CVE-2026-41907 uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided

uuid is for the creation of RFC9562 formerly RFC4122 UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes small buf or large offset. This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0...

GHSA-QMQ6-F8PR-CX5X Duplicate Advisory: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w5hq-g745-h8pq. This link is maintained to preserve external references. Original Advisory uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6...

CVE-2026-41988

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue...

CVE-2026-41988

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue...