XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests

Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user...

GHSA-9M6V-8FXC-4R44 Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

DEBIAN-CVE-2026-41312

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using /FlateDecode with a /Predictor unequal 1 and large predictor...

CVE-2026-41168 pypdf has possible long runtimes for wrong size values in cross-reference and object streams

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values. This ha...

pypdf: Manipulated FlateDecode image dimensions can exhaust RAM

Impact An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values. Patches This has been fixed in pypdf==6.10.2. Workarounds If you cannot upgrade yet, consider applying the changes fro...

PYSEC-2026-27

Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users i.e., per-machine scope, th...

CVE-2026-33430 Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions

Briefcase is a tool for converting a Python project into a standalone native application. Starting in version 0.3.0 and prior to version 0.3.26, if a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users i.e., per-machine scope, th...

CVE-2026-33430

Summary of CVE-2026-33430 and related advisory : The connected OSV/GHSA entries describe a Windows MSI installerPrivilege Escalation in Briefcase when used to create per-machine (All Users) installations. The installation process can create a directory that inherits the permissions of its parent,...

PT-2026-26543

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. The ComposerControllermentions API endpoint reveals hidden gro...

CVE-2026-27628

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually...

PT-2026-28179

Name of the Vulnerable Software and Affected Versions pypdf versions prior to 6.9.2 Description pypdf is a free and open-source pure-python PDF library. A crafted PDF file can cause an infinite loop when read in non-strict mode. This issue requires reading a file in non-strict mode. Applying the...

GHSA-7VPR-JM38-WR7W XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

Impact A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to...

GHSA-98VJ-MM79-V77R Contao is vulnerable to remote code execution in template closures

Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5 Workarounds Manually patch the Contao\Template::once method. Resources...

CVE-2025-65960 Contao is vulnerable to remote code execution in template closures

Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57...

EUVD-2020-1427

Malware in sbrugna...

EUVD-2021-0971

Malware in sbrugna...

EUVD-2025-24648

Malicious code in bioql PyPI...

PT-2025-33709

Name of the Vulnerable Software and Affected Versions: Real Spaces - WordPress Properties Directory Theme versions prior to 3.7 Description: The Real Spaces - WordPress Properties Directory Theme for WordPress is susceptible to privilege escalation through the imic agent register function. This...

CVE-2025-53106 Graylog vulnerable to privilege escalation through API tokens

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the...

GHSA-373J-MHPF-84WG Janssen Config API returns results without scope verification

Impact What kind of vulnerability is it? Who is impacted? The configAPI is an internal service and hence should never be exposed to the internet. With that said, this is a serious vulnerability that has a large internal surface attack area that exposes all sorts of information from the IDP...