Security Bulletin: A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. (CVE-2026-4096)

Summary A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. Version 3.0.7 addresses the vulnerability. Vulnerability Details CVEID:CVE-2026-4096 DESCRIPTION: IBM DevOps Plan is vulnerable t...

CVE-2026-7666

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read ema...

CVE-2026-6873

CVE-2026-6873 affects Django 6.0 before 6.0.6 and 5.2 before 5.2.15. The issue is a non-injective salt derivation in django.http.HttpRequest.get_signed_cookie that concatenates the cookie name and salt argument, enabling a remote attacker to use a signed cookie in a context different from where i...

CVE-2026-6873 Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...

PT-2026-45944

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.has vary header in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whos...

CVE-2026-40108

CVE-2026-40108 - GLPI Stored XSS in ITIL costs : Affects GLPI versions 11.0.0 through 11.0.6 where a technician can store an XSS payload in ITIL costs. The issue has been fixed in version 11.0.7. CVSS 4.0 base score is 7.1 (HIGH) with user interaction required and HIGH impact on confidentiality, ...

CVE-2026-45701

Sulu is an open-source PHP content management system based on the Symfony framework. Prior to versions 2.6.23 and 3.0.6, the password reset tokenand API key generation uses a weak cryptographical hash algorithm. This issue has been patched in versions 2.6.23 and 3.0.6...

OPENSUSE-SU-2026:20854-1 Security update for rqlite

This update for rqlite fixes the following issues: Changes in rqlite: - Update to version 10.2.0: Support verifying mTLS peer Common Name Console supports restore from SQLite data Console "count rows" respects current Tables Expand/Collapse state Console supports dropping indexes Further Console...

CVE-2026-42682 WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6...

CVE-2026-45149 brace-expansion: Large numeric range defeats documented `max` DoS protection

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like 1..10000000, the sequence generation loop generates all 10 million intermediate...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: powerpc64/bpf: The instruction “ldbrx” is limited to processors that comply with ISA v2.06. Johan reported the following crash with the testbpf function on the ppc64 e5500 architecture: testbpf: 296 ALUENDFROMLE 64:...

Astra Linux - уязвимость в libreoffice

LibreOffice supports digital signatures for ODF documents and macros within documents. It provides visual indicators that confirm that the document has not been altered since the last signature, and that the signature is valid. A vulnerability in certificate validation in LibreOffice allowed...

CLSA-2026-1779212122 sos: Fix of CVE-2022-2806

CVE-2022-2806: ovirt plugin: filter out all password keys in answer files...

CVE-2026-32312

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7...

CVE-2026-39250

An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations...

Revive Adserver: PHP code injection via unexpected delivery limitation parameter

A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the compiledlimitations field, which could then be executed during banner...

[SECURITY] Fedora 44 Update: rust-astral-tokio-tar-0.6.1-1.fc44

A Rust implementation of an async TAR file reader and writer. This library does not currently handle compression, but it is abstract over all I/O readers and writers. Additionally, great lengths are taken to ensure that the entire contents are never required to be entirely resident in memory all ...

EUVD-2026-30284

Verba is affected by a Stored Cross-Site Scripting XSS vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and password combination, the supplied username value is recorded in the application logs. Due to lack of...

CVE-2026-6225

The CVE concerns the WordPress plugin Taskbuilder – Project Management & Task Management Tool With Kanban Board . It is vulnerable to a time-based blind SQL Injection via the 'project_search' parameter in all versions up to and including 5.0.6 , caused by insufficient escaping and inadequate prep...

Fedora 44 : kernel / kernel-headers (2026-4462efc052)

The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-4462efc052 advisory. The 7.0.6 stable kernel update contains a number of important fixes across the tree. It also contains a fix for the Fragnesia CVE-2026-46300 Tenable has...