๐จ CVE-2025-68710
Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome), resulting in information disclosure and privilege escalation.
๐@cveNotify
Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome), resulting in information disclosure and privilege escalation.
๐@cveNotify
GitHub
GitHub - actuator/locker.app.safe.applocker
Contribute to actuator/locker.app.safe.applocker development by creating an account on GitHub.
๐จ CVE-2025-68708
SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
๐@cveNotify
SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
๐@cveNotify
GitHub
GitHub - actuator/com.alpha.applock
Contribute to actuator/com.alpha.applock development by creating an account on GitHub.
๐จ CVE-2025-68711
AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
๐@cveNotify
AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
๐@cveNotify
GitHub
GitHub - actuator/applock.passwordfingerprint.applockz
Contribute to actuator/applock.passwordfingerprint.applockz development by creating an account on GitHub.
๐จ CVE-2026-8359
When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in the dll would be called to set up a "module" object for that module. However, WOSHttpStatusModule.dll is not present in the installation. As a result, a function pointer to WOSBin_LoadHttpModule (which would have been in the export table in WOSHttpStatusModule.dll) is set to NULL, resulting in calling a function at address 0.
๐@cveNotify
When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in the dll would be called to set up a "module" object for that module. However, WOSHttpStatusModule.dll is not present in the installation. As a result, a function pointer to WOSBin_LoadHttpModule (which would have been in the export table in WOSHttpStatusModule.dll) is set to NULL, resulting in calling a function at address 0.
๐@cveNotify
Tenableยฎ
Gladinet Triofox Server Agent Multiple Vulnerabilities
Multiple vulnerabilities exist in Gladinet Triofox Server Agent 17.1.10488.57063.
๐จ CVE-2026-8360
Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console). The returned NULL pointer is not checked before being dereferenced.
๐@cveNotify
Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console). The returned NULL pointer is not checked before being dereferenced.
๐@cveNotify
Tenableยฎ
Gladinet Triofox Server Agent Multiple Vulnerabilities
Multiple vulnerabilities exist in Gladinet Triofox Server Agent 17.1.10488.57063.
๐จ CVE-2026-8361
A path traversal vulnerability exists in WOSDefaultHttpModule.dll when processing a URL path starting with /woshome
๐@cveNotify
A path traversal vulnerability exists in WOSDefaultHttpModule.dll when processing a URL path starting with /woshome
๐@cveNotify
Tenableยฎ
Gladinet Triofox Server Agent Multiple Vulnerabilities
Multiple vulnerabilities exist in Gladinet Triofox Server Agent 17.1.10488.57063.
๐จ CVE-2026-8363
A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:
๐@cveNotify
A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:
๐@cveNotify
Tenableยฎ
Gladinet Triofox Server Agent Multiple Vulnerabilities
Multiple vulnerabilities exist in Gladinet Triofox Server Agent 17.1.10488.57063.
๐จ CVE-2026-8364
Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavCache.
๐@cveNotify
Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavCache.
๐@cveNotify
Tenableยฎ
Gladinet Triofox Server Agent Multiple Vulnerabilities
Multiple vulnerabilities exist in Gladinet Triofox Server Agent 17.1.10488.57063.
๐จ CVE-2026-21785
A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.
๐@cveNotify
A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.
๐@cveNotify
Hcl-Software
Security Bulletin: HCL BigFix Remote Control is affected by multiple security vulnerabilities - Customer Support
Security vulnerabilities related to Inconsistent Interpretation of HTTP Requests (CVE-2026-33870), Allocation
๐จ CVE-2026-44660
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
๐@cveNotify
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
๐@cveNotify
GitHub
Fix failure cleanup paths in ujson.dump() ยท ultrajson/ultrajson@82af1d0
* Add missing dec-refs for if PyTuple_Pack() or writing the payload to
file fails
* Add missing bailout for failed PyTuple_Pack()
* Add tests for all but the PyTuple_Pack() failing (which requi...
file fails
* Add missing bailout for failed PyTuple_Pack()
* Add tests for all but the PyTuple_Pack() failing (which requi...
๐จ CVE-2026-44709
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.
๐@cveNotify
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7.
๐@cveNotify
GitHub
PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution; keyring password exposed in process arguments
## Summary
### Arbitrary execution via `PINENTRY_FALLBACK_APP` (`tools/pamusb-pinentry`)
`pamusb-pinentry` reads the `PINENTRY_FALLBACK_APP` environment variable and executes it directly with...
### Arbitrary execution via `PINENTRY_FALLBACK_APP` (`tools/pamusb-pinentry`)
`pamusb-pinentry` reads the `PINENTRY_FALLBACK_APP` environment variable and executes it directly with...
๐จ CVE-2026-44710
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks. The GIO/UDisks API documentation states these accessors can return NULL for devices that do not expose the corresponding field. Passing NULL to strcmp() is undefined behaviour (typically a SIGSEGV). This vulnerability is fixed in 0.8.7.
๐@cveNotify
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks. The GIO/UDisks API documentation states these accessors can return NULL for devices that do not expose the corresponding field. Passing NULL to strcmp() is undefined behaviour (typically a SIGSEGV). This vulnerability is fixed in 0.8.7.
๐@cveNotify
GitHub
NULL pointer dereference from UDisks device fields causes PAM crash and login denial-of-service
## Summary
`src/device.c` passed the return values of `udisks_drive_get_serial()`, `udisks_drive_get_vendor()`, and `udisks_drive_get_model()` directly to `strcmp()` without NULL checks:
```c...
`src/device.c` passed the return values of `udisks_drive_get_serial()`, `udisks_drive_get_vendor()`, and `udisks_drive_get_model()` directly to `strcmp()` without NULL checks:
```c...
๐จ CVE-2026-44711
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7.
๐@cveNotify
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7.
๐@cveNotify
GitHub
Symlink attacks on pad directory and pad files enable authentication bypass and root file corruption
## Summary
`src/pad.c` contained three related weaknesses in filesystem path handling for the one-time pad.
### H-4 โ Pad directory symlink -> authentication bypass
`stat()` (which foll...
`src/pad.c` contained three related weaknesses in filesystem path handling for the one-time pad.
### H-4 โ Pad directory symlink -> authentication bypass
`stat()` (which foll...
๐จ CVE-2026-44712
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.
๐@cveNotify
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7.
๐@cveNotify
GitHub
Shell injection via device UUID and username in pamusb-conf and pamusb-agent
## Summary
Two Python helper tools passed user-controlled data into shell commands.
### C-2 โ `tools/pamusb-conf` (UUID injection)
The device UUID read from the XML config was interpolated...
Two Python helper tools passed user-controlled data into shell commands.
### C-2 โ `tools/pamusb-conf` (UUID injection)
The device UUID read from the XML config was interpolated...
๐จ CVE-2026-44247
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.
๐@cveNotify
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4.
๐@cveNotify
GitHub
Webhook server vulnerable to OOM due to unbounded HTTP request body size
### Impact
The Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request bo...
The Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request bo...
๐จ CVE-2026-44720
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4.
๐@cveNotify
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4.
๐@cveNotify
GitHub
Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover
### Overview
A critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. The issue has been fixed.
**...
A critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. The issue has been fixed.
**...
๐จ CVE-2026-45083
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
๐@cveNotify
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
๐@cveNotify
GitHub
refactor: remove unused /api/v1/index/stream endpoint ยท intranda/goobi-viewer-core@326980f
Goobi viewer - Presentation software for digital libraries, museums, archives and galleries. Open Source. - refactor: remove unused /api/v1/index/stream endpoint ยท intranda/goobi-viewer-core@326980f
๐จ CVE-2026-45152
uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victimโs system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1.
๐@cveNotify
uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victimโs system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1.
๐@cveNotify
GitHub
Command Injection in tool.Check Leading to Arbitrary Code Execution
I discovered a command injection vulnerability in uniget that allows arbitrary command execution through the metadata loading and version check mechanism.
### Summary
A command injection vu...
### Summary
A command injection vu...
๐จ CVE-2026-9208
Tanium addressed an unauthorized code execution vulnerability in Connect.
๐@cveNotify
Tanium addressed an unauthorized code execution vulnerability in Connect.
๐@cveNotify
๐จ CVE-2026-4802
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
๐@cveNotify
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
๐@cveNotify
๐จ CVE-2026-45322
Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user.
๐@cveNotify
Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user.
๐@cveNotify
GitHub
OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON
### Summary
Microsoft UFO tagged releases up to and including `v3.0.0` contain an OS command injection vulnerability in the shell action replay path.
In affected releases, `ShellReceiver.run_...
Microsoft UFO tagged releases up to and including `v3.0.0` contain an OS command injection vulnerability in the shell action replay path.
In affected releases, `ShellReceiver.run_...