HashiCorp Vault 安全漏洞

HashiCorp Vault is a private key access management tool developed by the American company HashiCorp. Versions of HashiCorp Vault prior to 2.0.0, as well as versions prior to 1.21.5, 1.20.10, and 1.19.16, contain security vulnerabilities. These vulnerabilities stem from Vault’s practice of...

PT-2026-33532

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory, which performs no file...

PT-2026-33414

Name of the Vulnerable Software and Affected Versions Unlimited Elements for Elementor versions prior to 2.0.7 Description An arbitrary file read issue exists due to insufficient path traversal sanitization in the URLtoRelative and urlToPath functions, combined with the ability to enable debug...

PT-2026-33484

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl desc function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causin...

Firebird 安全漏洞

Firebird is a set of open-source, cross-platform relational database management systems provided by the Firebird Foundation, which include multiple ANSI SQL-92 functions. Vulnerabilities exist in versions prior to Firebird 5.0.4, 4.0.7, and 3.0.14. These vulnerabilities stem from the assumption...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007300)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007300 advisory. In the Linux kernel, the following vulnerability has been resolved: Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out o...

BIT-DJANGO-2026-4292 Privilege abuse in ModelAdmin.list_editable

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using ModelAdmin.listeditable incorrectly allowed new instances to be created via forged POST data. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated a...

GHSA-VR7G-88FQ-VHQ3 Paperclip: OS Command Injection via Execution Workspace cleanupCommand

| Field | Value | |-------|-------| | Affected Software | Paperclip AI v2026.403.0 | | Affected Component | Execution Workspace lifecycle workspace-runtime.ts | | Affected Endpoint | PATCH /api/execution-workspaces/:id | | Deployment Modes | All — localtrusted zero auth, authenticated any company...

Paperclip: OS Command Injection via Execution Workspace cleanupCommand

| Field | Value | |-------|-------| | Affected Software | Paperclip AI v2026.403.0 | | Affected Component | Execution Workspace lifecycle workspace-runtime.ts | | Affected Endpoint | PATCH /api/execution-workspaces/:id | | Deployment Modes | All — localtrusted zero auth, authenticated any company...

[slackware-security] libxml2

New libxml2 packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/libxml2-2.11.9-i586-9slack15.0.txz: Rebuilt. This update fixes security issues: entities: copy children in xmlCopyEntity. c14n: Fix...

CVE-2026-39424

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

CVE-2025-43935

Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service...

CVE-2026-21727

A flaw was found in Grafana. This cross-tenant isolation vulnerability affects legacy correlation records, specifically those created prior to Grafana 10.2. A user with datasource management privileges can exploit a backward compatibility condition, which allows records with an organization ID...

WordPress MagOne theme <= 9.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme MagOne versions = 9.0...

netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood

A flaw was found in Netty. A remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume...

SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

Important: Red Hat Security Advisory: .NET 9.0 security update

An update for .NET 9.0 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

Important: Red Hat Security Advisory: .NET 9.0 security update

An update for .NET 9.0 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories

You know that feeling when you open your feed on a Thursday morning and it's just... a lot? Yeah. This week delivered. We've got hackers getting creative in ways that are almost impressive if you ignore the whole "crime" part, ancient vulnerabilities somehow still ruining people's days, and enoug...

WordPress Livemesh Addons by Elementor plugin <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Livemesh Addons for Elementor versions = 9.0...