CVE Notify
19.3K subscribers
4 photos
206K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2025-27463
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2025-27464
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2025-58146
There are multiple issues.

1. Updates to the XAPI database sanitise input strings, but try
generating the notification using the unsanitised input. This
causes the database's event thread to terminate and cease further
processing.

2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but XAPI
uses libraries which conform to the stricter v3.1 of the Unicode
spec. This causes some strings to be accepted as valid UTF-8 by
XAPI, but rejected by other libraries in use. Notably, such strings
can be entered into the database, after which the database can no
longer be loaded.

3. There is no input sanitisation for Map/Set updates on objects in the
XAPI database.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2025-58151
varstored is a component of the Xapi toolstack handling UEFI Variables
for a VM. It has a communication path with OVMF inside the VM involving
mapping a buffer prepared by OVMF.

Within varstored, there were insufficient compiler barriers, creating
TOCTOU issues with data in the shared buffer.

The exact vulnerable behaviour depends on the code generated by the
compiler. In a build of varstored using default settings, the attacker
can control an index used in a jump table.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-11404
Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-15187
A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in improperly controlled modification of object prototype attributes. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-15188
A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component Employee Dashboard Endpoint. This manipulation of the argument role causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-23556
When oxenstored is tearing a domain down, the node data is cleaned up
but the usage counts are leaked.

When the domain ID is eventually reused, the new domain can create fewer
nodes before beeing deemed to be over quota.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-23559
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]


XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.

Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-23561
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.

Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-23562
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.

Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-42486
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
XAPI can configure different users with different roles, using Role
Based Access Control. For more details, see:

https://docs.xenserver.com/en-us/xencenter/current-release/rbac-overview.html#rbac-roles

The pool-admin role is fully privileged. Notably, users with this role
can also SSH into the host as root.

The other administrator roles are pool-operator, vm-power-admin and
vm-admin, each of which are authorised to configure and manage various
aspects of the system.

Some settings are inadequately restricted, and can be set by a lower
privilege of administrator than expected.

* CVE-2026-23559: A vm-admin can set VBD.other_config:backend-local and
turn arbitrary files in dom0 into VDIs (virtual disks) and give said
disks to a VM they control. This is an arbitrary read and/or modify
of files in dom0.

* CVE-2026-23560: A vm-admin can set VM.other-config:is_system_domain
and mark a VM as a system domain. System domains are ignored and
left running during certain other host/pool operations, and may be
hidden from view in tooling.

* CVE-2026-23561: A vm-admin can set VM.other_config:storage_driver_domain
and mark a VM as the storage domain for a particular host storage
connection (PBD). Shutting down the VM can cause the PBD to be
erroneously marked as unplugged when it is not.

* CVE-2026-23562: Configuration of PCI passthrough is normally
restricted to the pool-admin role. However one API was missing this
check, allowing a vm-admin access to unintended host hardware.

* CVE-2026-42486: A vm-admin can set the VM.platform:hvm_serial
parameter, which should be restricted to the pool-admin role, as it
can allow arbitrary dom0 file write.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-59207
n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, allowing a member-level user with use-only access to a shared credential to send its secret to an external server they control. This issue is fixed in versions 2.27.4 and 2.28.1.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-61474
An improper authorization check in MISPโ€™s attribute creation endpoint allowed an authenticated user with permission to add attributes to submit a sharing_group_id without triggering the corresponding sharing group authorization check, as long as the attribute distribution value was not explicitly set to 4 โ€” โ€œsharing groupโ€.


As a result, a user could reference or associate an attribute with a sharing group they were not authorized to use. This could lead to an access-control bypass affecting the integrity of attribute sharing metadata and potentially expose or misuse restricted sharing group relationships.


The patch changes the authorization logic so that the sharing group permission check is performed whenever a non-empty sharing_group_id is provided, regardless of the selected distribution value.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-13461
When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-13462
PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-15190
A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This affects an unknown part of the file /login.php. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-15191
A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-15192
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-15193
A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-15194
A security flaw has been discovered in Open5GS 2.7.7. This affects the function amf_context_final of the file src/amf/context.c of the component AMF. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks.

๐ŸŽ–@cveNotify