๐จ CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
๐@cveNotify
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
๐@cveNotify
๐จ CVE-2023-51384
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.
๐@cveNotify
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.
๐@cveNotify
seclists.org
Full Disclosure: APPLE-SA-03-07-2024-2 macOS Sonoma 14.4
๐จ CVE-2023-51385
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
๐@cveNotify
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
๐@cveNotify
seclists.org
Full Disclosure: APPLE-SA-03-07-2024-2 macOS Sonoma 14.4
๐จ CVE-2024-23848
In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.
๐@cveNotify
In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.
๐@cveNotify
๐จ CVE-2024-22099
NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.
This issue affects Linux kernel: v2.6.12-rc2.
๐@cveNotify
NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.
This issue affects Linux kernel: v2.6.12-rc2.
๐@cveNotify
๐จ CVE-2024-23307
Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.
๐@cveNotify
Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.
๐@cveNotify
๐จ CVE-2024-0727
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
๐@cveNotify
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
๐@cveNotify
GitHub
Add NULL checks where ContentInfo data can be NULL ยท openssl/openssl@09df439
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and...
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and...
๐จ CVE-2025-54236
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
๐@cveNotify
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
๐@cveNotify
Adobe
Adobe Security Bulletin
Security Updates Available for Adobe Commerce | APSB25-88
๐จ CVE-2026-41564
CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.
The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their constructors and reuse it without fork detection. A Crypt::PK::* object created before `fork()` shares byte-identical PRNG state with every child process, and any randomized operation they perform can produce identical output, including key generation. Two ECDSA or DSA signatures from different processes are enough to recover the signing private key through nonce-reuse key recovery.
This affects preforking services such as the Starman web server, where a Crypt::PK::* object loaded at startup is inherited by every worker process.
๐@cveNotify
CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.
The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their constructors and reuse it without fork detection. A Crypt::PK::* object created before `fork()` shares byte-identical PRNG state with every child process, and any randomized operation they perform can produce identical output, including key generation. Two ECDSA or DSA signatures from different processes are enough to recover the signing private key through nonce-reuse key recovery.
This affects preforking services such as the Starman web server, where a Crypt::PK::* object loaded at startup is inherited by every worker process.
๐@cveNotify
๐จ CVE-2026-28510
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.
๐@cveNotify
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2.
๐@cveNotify
GitHub
cleanup: login/mfa: remove useless request fallback ยท elabftw/elabftw@8b7a575
now the setup in on UcpController
๐จ CVE-2026-30246
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
๐@cveNotify
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
๐@cveNotify
GitHub
fiber/middleware/cache/cache_test.go at main ยท gofiber/fiber
โก๏ธ Express inspired web framework written in Go. Contribute to gofiber/fiber development by creating an account on GitHub.
๐จ CVE-2026-27960
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.
๐@cveNotify
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.
๐@cveNotify
GitHub
Priviledge escalation and unauthenticated access using default admin
### Impact
There is a priviledge escalation vulnerability affecting OpenCTI that can be exploited by unauthenticated attackers, and enables to query the API as any existing user including the admi...
There is a priviledge escalation vulnerability affecting OpenCTI that can be exploited by unauthenticated attackers, and enables to query the API as any existing user including the admi...
๐จ CVE-2026-6860
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
๐@cveNotify
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
๐@cveNotify
GitHub
Define a bounded capacity for the internal SNI to SslContext cache. by vietj ยท Pull Request #6102 ยท eclipse-vertx/vert.x
Motivation:
The SNI to SslContext cache does not define a max size, this cache can be filled by TLS client when server SNI is enabled.
Client can trigger to load multiple times the same SslContext ...
The SNI to SslContext cache does not define a max size, this cache can be filled by TLS client when server SNI is enabled.
Client can trigger to load multiple times the same SslContext ...
๐จ CVE-2026-41498
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.
๐@cveNotify
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0.
๐@cveNotify
GitHub
Release 2.54.0 ยท kimai/kimai
Compatible with PHP 8.1 to 8.5
Avatar URL fields need to be a real absolute URL (#5896)
Do not allow the = character in name fields (#5896)
Sunset long deprecated API passwords (#5896)
Hardening p...
Avatar URL fields need to be a real absolute URL (#5896)
Do not allow the = character in name fields (#5896)
Sunset long deprecated API passwords (#5896)
Hardening p...
๐จ CVE-2026-42150
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
๐@cveNotify
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
๐@cveNotify
GitHub
fix(output): properly escape generated HTML (#1327) ยท WeblateOrg/wlc@0f3e58f
Weblate command line client. Contribute to WeblateOrg/wlc development by creating an account on GitHub.
๐จ CVE-2026-42261
PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true โ a supported and documented configuration โ this means any internet user who can register. This issue has been patched in version 0.5.4.
๐@cveNotify
PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true โ a supported and documented configuration โ this means any internet user who can register. This issue has been patched in version 0.5.4.
๐@cveNotify
GitHub
Release PromptHub 0.5.4 ยท legeling/PromptHub
๐ฆ ไธ่ฝฝๅฎ่ฃ
ๅนณๅฐ
ไธ่ฝฝ
Windows
macOS
Linux
โ ๏ธ macOS ้ฆๆฌกๅฏๅจ
ๅฆๆๆ็คบ"ๆ ๆณๆๅผ"ๆ"ๅทฒๆๅ"๏ผ่ฏทๅจ็ป็ซฏๆง่ก๏ผ
sudo xattr -rd com.apple.quarantine /Applications/PromptHub.app
๐ ๆฌๆฌกๆดๆฐ
่ฏฆ็ปๆดๆฐๆฅๅฟ่ฏทๆฅ็ ๆดๆฐๆฅๅฟ
ๅนณๅฐ
ไธ่ฝฝ
Windows
macOS
Linux
โ ๏ธ macOS ้ฆๆฌกๅฏๅจ
ๅฆๆๆ็คบ"ๆ ๆณๆๅผ"ๆ"ๅทฒๆๅ"๏ผ่ฏทๅจ็ป็ซฏๆง่ก๏ผ
sudo xattr -rd com.apple.quarantine /Applications/PromptHub.app
๐ ๆฌๆฌกๆดๆฐ
่ฏฆ็ปๆดๆฐๆฅๅฟ่ฏทๆฅ็ ๆดๆฐๆฅๅฟ
๐จ CVE-2026-42277
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file belongs to them. An attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6.
๐@cveNotify
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file belongs to them. An attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6.
๐@cveNotify
GitHub
IDOR in /chat/file/{file_id} allows any authenticated user to download other users files
### Summary
The `GET /chat/file/{file_id}` endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is ...
The `GET /chat/file/{file_id}` endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is ...
๐จ CVE-2024-51092
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().
๐@cveNotify
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().
๐@cveNotify
GitHub
[Critical] - Authenticated OS Command Injection
### Summary
An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows...
An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows...
๐จ CVE-2025-55449
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
๐@cveNotify
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
๐@cveNotify
GitHub
GitHub - AstrBotDevs/AstrBot: AI Agent Assistant & development framework that integrates lots of IM platforms, LLMs, plugins andโฆ
AI Agent Assistant & development framework that integrates lots of IM platforms, LLMs, plugins and AI feature, and can be your openclaw alternative. โจ - AstrBotDevs/AstrBot
๐จ CVE-2025-69690
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
๐@cveNotify
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
๐@cveNotify
seclists.org
Full Disclosure: [Full Disclosure] CVE-2025-69690 & CVE-2025-69691 โ Authenticated RCE in Netgate pfSense CE 2.7.2 and 2.8.0
๐จ CVE-2026-2300
The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify