🚨 CVE-2026-14867
Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials.
Active Directory accounts are not affected by this vulnerability.
🎖@cveNotify
Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials.
Active Directory accounts are not affected by this vulnerability.
🎖@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.
🚨 CVE-2026-14868
The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.
🎖@cveNotify
The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.
🎖@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.
🚨 CVE-2026-11340
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Liman MYS: before release.Master.1107.
🎖@cveNotify
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Liman MYS: before release.Master.1107.
🎖@cveNotify
siberguvenlik.gov.tr
T.C. Siber Güvenlik Başkanlığı
Türkiye Cumhuriyeti Cumhurbaşkanlığı Siber Güvenlik Başkanlığı resmi web sitesi.
🚨 CVE-2011-10043
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded.
Module names starting with "::" could be passed to the load function to specify arbitrary module paths.
Attackers able to influence module names passed to load could use that bug to execute arbitrary code.
🎖@cveNotify
Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loaded.
Module names starting with "::" could be passed to the load function to specify arbitrary module paths.
Attackers able to influence module names passed to load could use that bug to execute arbitrary code.
🎖@cveNotify
🚨 CVE-2026-11348
Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data.
This issue affects Liman MYS: before release.Master.1107.
🎖@cveNotify
Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data.
This issue affects Liman MYS: before release.Master.1107.
🎖@cveNotify
siberguvenlik.gov.tr
T.C. Siber Güvenlik Başkanlığı
Türkiye Cumhuriyeti Cumhurbaşkanlığı Siber Güvenlik Başkanlığı resmi web sitesi.
🚨 CVE-2026-13696
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP Injection.
This issue affects Liman MYS: before release.Master.1107.
🎖@cveNotify
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in HAVELSAN Inc. Liman MYS allows LDAP Injection.
This issue affects Liman MYS: before release.Master.1107.
🎖@cveNotify
siberguvenlik.gov.tr
T.C. Siber Güvenlik Başkanlığı
Türkiye Cumhuriyeti Cumhurbaşkanlığı Siber Güvenlik Başkanlığı resmi web sitesi.
🚨 CVE-2026-57986
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-57987
Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
🎖@cveNotify
Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
🎖@cveNotify
🚨 CVE-2026-57988
Relative path traversal in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Relative path traversal in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-57991
Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
🚨 CVE-2026-57992
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-58287
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-58289
Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-58292
Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-58293
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-58294
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
🎖@cveNotify
🚨 CVE-2026-58295
Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
🎖@cveNotify
Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
🎖@cveNotify
🚨 CVE-2025-49795
A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
🎖@cveNotify
A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
🎖@cveNotify
🚨 CVE-2026-11774
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
🎖@cveNotify
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
🎖@cveNotify
🚨 CVE-2026-58593
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
🎖@cveNotify
NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.
🎖@cveNotify
GitHub
NodeBB/src/activitypub/mocks.js at v4.13.2 · NodeBB/NodeBB
Node.js based forum software built for the modern web - NodeBB/NodeBB
🚨 CVE-2026-57977
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
🎖@cveNotify
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
🎖@cveNotify