π¨ CVE-2026-43735
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
π@cveNotify
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
π@cveNotify
Apple Support
About the security content of iOS 26.5.2 and iPadOS 26.5.2 - Apple Support
This update delivers security fixes that were first made available in the iOS 26.6 and iPadOS 26.6 betas. This document describes the security content of iOS 26.5.2 and iPadOS 26.5.2.
π¨ CVE-2026-12610
A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.
π@cveNotify
A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.
π@cveNotify
π¨ CVE-2026-57081
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input.
bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses.
A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
π@cveNotify
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input.
bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses.
A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
π@cveNotify
GitHub
CVE-2026-57081 Net::BitTorrent: bencode decoder uncontrolled recursion + O(N^2) memory amplification -> memory-exhaustion DoS
bdecode (Protocol/BEP03/Bencode.pm:13) recurses once per nested list/dict level with no depth cap. Worse, each recursive call takes the remaining buffer by value (the $string parameter) and the li...
π¨ CVE-2026-27955
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing a single quote to break out of the bash -c argument and execute commands on the managed server host (outside the intended Docker container context). This vulnerability is fixed in 4.0.0-beta.464.
π@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_compose_custom_start_command fields are interpolated directly, allowing a single quote to break out of the bash -c argument and execute commands on the managed server host (outside the intended Docker container context). This vulnerability is fixed in 4.0.0-beta.464.
π@cveNotify
GitHub
Command Injection via Single-Quote Breakout in `executeInDocker()`
## Summary
The `executeInDocker()` helper wraps commands in `bash -c '{$command}'` without escaping single quotes. User-controlled `docker_compose_custom_build_command` and `docker_compo...
The `executeInDocker()` helper wraps commands in `bash -c '{$command}'` without escaping single quotes. User-controlled `docker_compose_custom_build_command` and `docker_compo...
π¨ CVE-2026-27956
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
π@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
π@cveNotify
GitHub
Cross-team application domain enumeration via domains_by_server endpoint
## Summary
`GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional `uuid` query parameter is provided. Any authenticated API user can enumerate domain...
`GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional `uuid` query parameter is provided. Any authenticated API user can enumerate domain...
π¨ CVE-2026-27957
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464.
π@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464.
π@cveNotify
GitHub
Authenticated RCE via command injection in CA certificate management feature
### Summary
An authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on th...
An authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on th...
π¨ CVE-2026-44947
A missing clean-up in the legacy Project Role Template Binding (PRTB)
reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security
Admission (PSA) permissions after an administrator removes those
permissions from a RoleTemplate.
π@cveNotify
A missing clean-up in the legacy Project Role Template Binding (PRTB)
reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security
Admission (PSA) permissions after an administrator removes those
permissions from a RoleTemplate.
π@cveNotify
GitHub
Stale PSA ClusterRoleBinding Persists After RoleTemplate Downgrade in Rancher
### Impact
A vulnerability in the legacy Project Role Template Binding (PRTB) reconciler in Rancher allows users to retain unauthorized Pod Security Admission (PSA) permissions after an administ...
A vulnerability in the legacy Project Role Template Binding (PRTB) reconciler in Rancher allows users to retain unauthorized Pod Security Admission (PSA) permissions after an administ...
π¨ CVE-2026-44949
A Rancher FleetWorkspace admission path allowed side effects to occur in
the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to
the in-cluster rancher-webhook service
could submit a crafted admission payload and cause workspace-related
Kubernetes objects to be created with attacker-chosen identity data.
π@cveNotify
A Rancher FleetWorkspace admission path allowed side effects to occur in
the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to
the in-cluster rancher-webhook service
could submit a crafted admission payload and cause workspace-related
Kubernetes objects to be created with attacker-chosen identity data.
π@cveNotify
GitHub
Unauthenticated namespace creation and RBAC injection via rancher-webhook FleetWorkspace mutating webhook
### Impact
A Rancher FleetWorkspace admission path allowed side effects to occur in the webhook handler. An unauthenticated attacker with network access to the in-cluster `rancher-webhook` servi...
A Rancher FleetWorkspace admission path allowed side effects to occur in the webhook handler. An unauthenticated attacker with network access to the in-cluster `rancher-webhook` servi...
π¨ CVE-2026-48192
A vulnerability has been identified in Mendix Studio Pro 10.11 (All versions), Mendix Studio Pro 10.12 (All versions), Mendix Studio Pro 10.13 (All versions), Mendix Studio Pro 10.14 (All versions), Mendix Studio Pro 10.15 (All versions), Mendix Studio Pro 10.16 (All versions), Mendix Studio Pro 10.17 (All versions), Mendix Studio Pro 10.18 (All versions), Mendix Studio Pro 10.19 (All versions), Mendix Studio Pro 10.20 (All versions), Mendix Studio Pro 10.21 (All versions), Mendix Studio Pro 10.22 (All versions), Mendix Studio Pro 10.23 (All versions), Mendix Studio Pro 10.24 (All versions < V10.24.21), Mendix Studio Pro 11.0 (All versions), Mendix Studio Pro 11.1 (All versions), Mendix Studio Pro 11.10 (All versions), Mendix Studio Pro 11.11 (All versions), Mendix Studio Pro 11.2 (All versions), Mendix Studio Pro 11.3 (All versions), Mendix Studio Pro 11.4 (All versions), Mendix Studio Pro 11.5 (All versions), Mendix Studio Pro 11.6 (All versions < V11.6.7), Mendix Studio Pro 11.7 (All versions), Mendix Studio Pro 11.8 (All versions), Mendix Studio Pro 11.9 (All versions). Affected versions of Mendix Studio Pro do not properly validate or sanitize project files processed during the build pipeline.
This could allow an attacker who tricks a user into opening and running a specially crafted malicious project locally on their system to execute arbitrary code in the context of that user.
π@cveNotify
A vulnerability has been identified in Mendix Studio Pro 10.11 (All versions), Mendix Studio Pro 10.12 (All versions), Mendix Studio Pro 10.13 (All versions), Mendix Studio Pro 10.14 (All versions), Mendix Studio Pro 10.15 (All versions), Mendix Studio Pro 10.16 (All versions), Mendix Studio Pro 10.17 (All versions), Mendix Studio Pro 10.18 (All versions), Mendix Studio Pro 10.19 (All versions), Mendix Studio Pro 10.20 (All versions), Mendix Studio Pro 10.21 (All versions), Mendix Studio Pro 10.22 (All versions), Mendix Studio Pro 10.23 (All versions), Mendix Studio Pro 10.24 (All versions < V10.24.21), Mendix Studio Pro 11.0 (All versions), Mendix Studio Pro 11.1 (All versions), Mendix Studio Pro 11.10 (All versions), Mendix Studio Pro 11.11 (All versions), Mendix Studio Pro 11.2 (All versions), Mendix Studio Pro 11.3 (All versions), Mendix Studio Pro 11.4 (All versions), Mendix Studio Pro 11.5 (All versions), Mendix Studio Pro 11.6 (All versions < V11.6.7), Mendix Studio Pro 11.7 (All versions), Mendix Studio Pro 11.8 (All versions), Mendix Studio Pro 11.9 (All versions). Affected versions of Mendix Studio Pro do not properly validate or sanitize project files processed during the build pipeline.
This could allow an attacker who tricks a user into opening and running a specially crafted malicious project locally on their system to execute arbitrary code in the context of that user.
π@cveNotify
π¨ CVE-2026-4360
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
π@cveNotify
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
π@cveNotify
GitHub
[3.14] gh-151987: Pass filter_function to `TarFile._extract_one()` du⦠· python/cpython@5e0ef3f
β¦ring `.extract()` (GH-151988) (#152609)
(cherry picked from commit 7ccdbaba2c54250a70d7f25632152df7655a5e0a)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth ...
(cherry picked from commit 7ccdbaba2c54250a70d7f25632152df7655a5e0a)
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth ...
π¨ CVE-2026-13455
PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions
π@cveNotify
PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions
π@cveNotify
GitLab
anon.hash() is missing the RESTRICTED label, so a masked role can use it as a hashing oracle (#649) Β· Issues Β· dalibo / PostgreSQLβ¦
Short version: Every salt-reading SECURITY DEFINER function in the extension is labelled RESTRICTED so masked roles can't call it directly. Except anon.hash(), which has no...
π¨ CVE-2026-44948
A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service.
π@cveNotify
A path traversal vulnerability was found in Fleet's ImageScan subsystem in Rancher Fleet 0.12.0 up to 0.12.16, 0.13.0 up to 0.13.12, 0.14.0 up to 0.14.7 and 0.15.0 up to 0.15.3 could be used to traverse outside of the intended directory, causing a denial of service.
π@cveNotify
GitHub
Path Traversal in Fleet ImageScan GitRepo Path Handler
### Impact
A path traversal vulnerability was found in Fleet's ImageScan subsystem. The Fleet controller processes entries in `gitrepo.Spec.Paths` without validating that the resolved filesy...
A path traversal vulnerability was found in Fleet's ImageScan subsystem. The Fleet controller processes entries in `gitrepo.Spec.Paths` without validating that the resolved filesy...
π¨ CVE-2026-48276
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68
π¨ CVE-2026-48277
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68
π¨ CVE-2026-48282
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68
π¨ CVE-2026-48283
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68
π¨ CVE-2026-48285
ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68
π¨ CVE-2026-48286
Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe Campaign Classic | APSB26-69
π¨ CVE-2026-48307
ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially resulting in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious link. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68
π¨ CVE-2026-48313
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction. Scope is changed.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68
π¨ CVE-2026-48314
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.
π@cveNotify
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited read and write access to unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.
π@cveNotify
Adobe
Adobe Security Bulletin
Security updates available for Adobe ColdFusion | APSB26-68