๐จ CVE-2026-37454
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption
๐@cveNotify
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption
๐@cveNotify
๐จ CVE-2026-37452
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
๐@cveNotify
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
๐@cveNotify
๐จ CVE-2026-38637
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.
๐@cveNotify
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input.
๐@cveNotify
GitHub
pocs/redox/CVE-2026-38637 at master ยท Marsman1996/pocs
to show pocs found. Contribute to Marsman1996/pocs development by creating an account on GitHub.
๐จ CVE-2026-40080
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.
๐@cveNotify
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). When the user's login_opts == '1' (redirect to referer after login), the function used $_SERVER['HTTP_REFERER'] directly. An attacker could craft a referer such as https://evil.com/cacti/. Where CACTI_PATH_URL is /cacti/, the substring matches and the user is redirected to evil.com after login. The pre-existing validate_redirect_url() helper at lib/html_utility.php performed proper validation but was not invoked from auth_login_redirect(). This issue has been fixed in version 1.2.31.
๐@cveNotify
GitHub
Release v1.2.31 ยท Cacti/cacti
Release of Cacti 1.2.31
Thank you everyone who are using Cacti and especially those helping to make Cacti better!
For additional details check out the README located on GitHub.
Project Updates
This...
Thank you everyone who are using Cacti and especially those helping to make Cacti better!
For additional details check out the README located on GitHub.
Project Updates
This...
๐จ CVE-2026-40941
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.
๐@cveNotify
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import signature validation bypass allows which allows self-signed packages. This issue has been fixed in version 1.2.31.
๐@cveNotify
GitHub
feat(security): architectural security helpers โ eliminate vulnerability classes at root by somethingwithproof ยท Pull Request #7054โฆ
Summary
Nine security architecture items adding centralized gateways and hardening helpers to reduce attack surface across shell execution, HTTP fetch, LDAP, request handling, action dispatch, XSS ...
Nine security architecture items adding centralized gateways and hardening helpers to reduce attack surface across shell execution, HTTP fetch, LDAP, request handling, action dispatch, XSS ...
๐จ CVE-2026-13218
A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
๐@cveNotify
A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
๐@cveNotify
๐จ CVE-2026-48619
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
๐@cveNotify
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
๐@cveNotify
nodejs.org
Node.js โ Thursday, June 18, 2026 Security Releases
Node.jsยฎ is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
๐จ CVE-2026-48935
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
๐@cveNotify
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
๐@cveNotify
nodejs.org
Node.js โ Thursday, June 18, 2026 Security Releases
Node.jsยฎ is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
๐จ CVE-2026-57915
It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
๐@cveNotify
It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
๐@cveNotify
๐จ CVE-2026-13426
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
๐@cveNotify
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Advisory ID: MMSA-2025-00532
๐@cveNotify
Mattermost.com
Security Updates
Find information about Mattermost security updates, sign up for our Security Bulletin, read our Responsible Disclosure Policy, and more.
๐จ CVE-2025-63078
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
๐@cveNotify
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Restaurant Menu by MotoPress Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-63079
Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.
๐@cveNotify
Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Live Copy Paste for Elementor Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-64636
Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.
๐@cveNotify
Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Donation Thermometer Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-66123
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
๐@cveNotify
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
๐@cveNotify
Patchstack
Insecure Direct Object References (IDOR) in WordPress BookPro Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-68052
Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
๐@cveNotify
Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
๐@cveNotify
Patchstack
Cross Site Request Forgery (CSRF) in WordPress Eagle Booking Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-68063
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
๐@cveNotify
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
๐@cveNotify
Patchstack
Local File Inclusion in WordPress Splash - Sport Club WordPress Theme for Basketball, Football, Hockey Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-68074
Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
๐@cveNotify
Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Image Carousel Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-68075
Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.
๐@cveNotify
Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress BNE Testimonials Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-24547
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
๐@cveNotify
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress SiteGround Email Marketing Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.