π¨ CVE-2026-53176
In the Linux kernel, the following vulnerability has been resolved:
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.
isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.
isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
π@cveNotify
π¨ CVE-2026-9800
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
π@cveNotify
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
π@cveNotify
π¨ CVE-2026-54369
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
π@cveNotify
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() that allows local attackers to escalate privileges by replacing any pathname component with a symbolic link. Attackers who control any component of a pathname processed by a privileged caller can redirect ACL read or write operations to arbitrary files or directories, enabling unauthorized manipulation of access control lists and local privilege escalation.
π@cveNotify
π¨ CVE-2026-23537
A vulnerability has been identified in the Feast Feature Serverβs `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.
π@cveNotify
A vulnerability has been identified in the Feast Feature Serverβs `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.
π@cveNotify
π¨ CVE-2026-54430
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT
header. If signer matches the configured ARN, kid is appended to
alb_base_url without URL encoding or path sanitization, and the HTTP GET
is issued before signature verification. This allows an attacker to force
the server to send a GET request to an attacker-chosen internal path.
This issue was fixed in version 2.3.0
π@cveNotify
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT
header. If signer matches the configured ARN, kid is appended to
alb_base_url without URL encoding or path sanitization, and the HTTP GET
is issued before signature verification. This allows an attacker to force
the server to send a GET request to an attacker-chosen internal path.
This issue was fixed in version 2.3.0
π@cveNotify
cert.pl
Vulnerabilities in OpenIDC liboauth2 software
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-54430 and CVE-2026-54431) found in OpenIDC liboauth2 software.
π¨ CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.
This issue was fixed in version 2.3.0
π@cveNotify
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.
This issue was fixed in version 2.3.0
π@cveNotify
cert.pl
Vulnerabilities in OpenIDC liboauth2 software
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-54430 and CVE-2026-54431) found in OpenIDC liboauth2 software.
π¨ CVE-2025-58902
Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
π@cveNotify
Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
π@cveNotify
Patchstack
Local File Inclusion in WordPress Lighthouse Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-66076
Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions.
π@cveNotify
Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions.
π@cveNotify
Patchstack
Broken Access Control in WordPress Woostify Sites Library Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69134
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress β Helper <= 1.1.4 versions.
π@cveNotify
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress β Helper <= 1.1.4 versions.
π@cveNotify
Patchstack
Arbitrary Content Deletion in WordPress OpenAI Chatbot for WordPress β Helper Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69152
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
π@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Artale | Wedding Photography WordPress Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69153
Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
π@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Trendy Travel Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69154
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
π@cveNotify
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress SpaLab | Beauty Salon WordPress Theme Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69155
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.
π@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Fitness Zone WordPress Theme Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69156
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.
π@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Kids Zone - Children WordPress Theme Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-11946
An unauthenticated remote attacker can exhaust
server memory via the GetEndpoints Discovery Service in open62541. The
endpointUrl field of GetEndpointsRequest is not validated for length. An
attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32
length field) delivered across intermediate chunks without ever sending the
final chunk. The server buffers all chunks in RAM indefinitely until the
SecureChannel times out. The attack is
pre-session and bypasses all encryption configurations.
The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
π@cveNotify
An unauthenticated remote attacker can exhaust
server memory via the GetEndpoints Discovery Service in open62541. The
endpointUrl field of GetEndpointsRequest is not validated for length. An
attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32
length field) delivered across intermediate chunks without ever sending the
final chunk. The server buffers all chunks in RAM indefinitely until the
SecureChannel times out. The attack is
pre-session and bypasses all encryption configurations.
The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
π@cveNotify
GitHub
GitHub - open62541/open62541: Open source implementation of OPC UA (OPC Unified Architecture) aka IEC 62541 licensed under Mozillaβ¦
Open source implementation of OPC UA (OPC Unified Architecture) aka IEC 62541 licensed under Mozilla Public License v2.0 - open62541/open62541
π¨ CVE-2026-14449
u5CMS through v12.8.8 is vulnerable to reflected XSS via the βthanksβ parameter in multiple form components
π@cveNotify
u5CMS through v12.8.8 is vulnerable to reflected XSS via the βthanksβ parameter in multiple form components
π@cveNotify
GitHub
Release u5cms-12.8.9 Β· u5cms/u5cms
What's Changed
This release fixes CVE-2026-14449.
Thanks xss fix by @stemind in #177
Full Changelog: v12.8.8...v12.8.9
This release fixes CVE-2026-14449.
Thanks xss fix by @stemind in #177
Full Changelog: v12.8.8...v12.8.9
π¨ CVE-2026-27060
Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.
π@cveNotify
Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.
π@cveNotify
Patchstack
PHP Object Injection in WordPress ARMember Premium Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.