CVE Notify
19.1K subscribers
4 photos
185K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2026-5952
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite protected Maven package metadata due to incorrect authorization checks.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-8330
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10824
The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-5305
The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-9702
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12937
The Tourfic โ€“ AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-41566
Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: 2.8.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45188
Relative Path Traversal vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 1.0.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-46751
A vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-54226
A vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-56091
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass.
This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the `shiro-guice` module instead of the `shiro-spring` module.

This issue affects all Apache Shiro versions through 2.x, and 3.0.0-alpha-1 only when using `shiro-guice` module in a web servlet context.

Upgrade to version 3.0.0 or later, which fixes the issue.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-56130
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed.
This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe functionality is enabled.


Upgrade to version 3.0.0 or later, which fixes the issue.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-42005
An attacker can send a web request that causes unlimited memory
allocation in the internal web server, leading to a denial of service.
The internal web server is disabled by default.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-33612
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-40011
An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-40208
An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-40211
An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-42004
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdistโ€™s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12755
Improper input validation in the PAM AD discovery endpoints in
Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated
user with the UserGroupsView permission to coerce server-side
authentication to an attacker-controlled host, exposing PAM provider
credentials as a NTLMv2 challenge-response, via a crafted DomainName
parameter.

๐ŸŽ–@cveNotify