๐จ CVE-2026-13462
PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends.
๐@cveNotify
PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends.
๐@cveNotify
cwe.mitre.org
CWE -
CWE-295: Improper Certificate Validation (4.20)
CWE-295: Improper Certificate Validation (4.20)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
๐จ CVE-2026-15308
The incremental HTML parser (html.parser.HTMLParser) allows for CPU
denial-of-service through repeated unterminated markup declarations when
processing uncontrolled data.
๐@cveNotify
The incremental HTML parser (html.parser.HTMLParser) allows for CPU
denial-of-service through repeated unterminated markup declarations when
processing uncontrolled data.
๐@cveNotify
GitHub
[3.14] gh-153030: Fix quadratic complexity in incremental parsing in โฆ ยท python/cpython@07efb08
โฆHTMLParser (GH-153031) (GH-153039)
When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both qua...
When an unterminated construct (e.g. a tag or comment) spanned many
feed() calls, rescanning the growing buffer and concatenating new data
onto it were both qua...
๐จ CVE-2026-55420
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
๐@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
๐@cveNotify
GitHub
SECURITY: Harden imagemagick execution ยท discourse/discourse@ca5a7e0
Add a default-deny ImageMagick security policy at `config/imagemagick/policy.xml`, loaded via `MAGICK_CONFIGURE_PATH` which is set in `config/initializers/003-imagemagick.rb`. Child processes inher...
๐จ CVE-2026-0279
Multiple cross site scripting vulnerabilities in the User-IDโข Authentication Portal (aka Captive Portal) service, GlobalProtectโข gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OSยฎ software enables a malicious unauthenticated user to store or execute malicious JavaScript payload.
The security risk posed by this issue is minimized when the management interface and access to the User-IDโข Authentication Portal is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW is not affected by this vulnerability.
๐@cveNotify
Multiple cross site scripting vulnerabilities in the User-IDโข Authentication Portal (aka Captive Portal) service, GlobalProtectโข gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OSยฎ software enables a malicious unauthenticated user to store or execute malicious JavaScript payload.
The security risk posed by this issue is minimized when the management interface and access to the User-IDโข Authentication Portal is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW is not affected by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0279 PAN-OS: Multiple Cross-Site Scripting (XSS) Vulnerabilities
Multiple cross site scripting vulnerabilities in the User-IDโข Authentication Portal (aka Captive Portal) service, GlobalProtectโข gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OS...
๐จ CVE-2026-0280
An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach protected services.
Cloud NGFW and Panorama are not impacted by this vulnerability.
๐@cveNotify
An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach protected services.
Cloud NGFW and Panorama are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0280 PAN-OS: IPv6 Firewall Policy Bypass
An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network tra...
๐จ CVE-2026-0281
An information disclosure vulnerability in Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to the management web interface to obtain web session tokens. This requires a legitimate user to first click on a malicious link provided by the attacker.
The security risk posed by this issue is minimized by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
An information disclosure vulnerability in Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to the management web interface to obtain web session tokens. This requires a legitimate user to first click on a malicious link provided by the attacker.
The security risk posed by this issue is minimized by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0281 PAN-OS: Information Disclosure Vulnerability in Management Web Interface
An information disclosure vulnerability in Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to the management web interface to obtain web session tokens. Thi...
๐จ CVE-2026-0282
A file deletion vulnerability in Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory.
The security risk posed by this issue is minimized by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
A file deletion vulnerability in Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory.
The security risk posed by this issue is minimized by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0282 PAN-OS: File Deletion Vulnerability in Management Web Interface
A file deletion vulnerability in Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory....
๐จ CVE-2026-0283
An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN connection.
Panorama, Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN connection.
Panorama, Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0283 PAN-OS: Authentication Bypass Vulnerability in Large Scale VPN (LSVPN)
An authentication bypass vulnerability in Large Scale VPN ( LSVPN) functionality of Palo Alto Networks PAN-OS software allows an attacker with network access to bypass security restrictions and establ...
๐จ CVE-2026-0284
An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.
Panorama, Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data.
Panorama, Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0284 PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)
An XML injection vulnerability in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker with network access to inject malicious XML conte...
๐จ CVE-2026-0285
A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized requests from the firewall to internal services.
The security risk posed by this issue is minimized when the management interface is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
Panorama, Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized requests from the firewall to internal services.
The security risk posed by this issue is minimized when the management interface is restricted to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
Panorama, Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0285 PAN-OS: Server-Side Request Forgery Vulnerability in Management Web Interface
A server-side request forgery (SSRF) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator with network access to the management web interface to make unauthorized...
๐จ CVE-2026-0286
A command injection vulnerability in the management plane of Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to execute arbitrary OS commands as root.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma Accessยฎ are not impacted by this vulnerability.
๐@cveNotify
A command injection vulnerability in the management plane of Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to execute arbitrary OS commands as root.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma Accessยฎ are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0286 PAN-OS: Authenticated Command Injection in CLI
A command injection vulnerability in the management plane of Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to execute arbitrary OS commands as root.
The security risk pos...
The security risk pos...
๐จ CVE-2026-0287
Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OSยฎ software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic to or through a dataplane interface. Repeated attempts to trigger this condition result in the firewall entering maintenance mode.
Panorama is not impacted by these vulnerabilities.
๐@cveNotify
Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OSยฎ software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic to or through a dataplane interface. Repeated attempts to trigger this condition result in the firewall entering maintenance mode.
Panorama is not impacted by these vulnerabilities.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0287 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing
Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OSยฎ software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending speciall...
๐จ CVE-2026-13373
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13936.
This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13936.
This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Watchguard
WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Tigerpaw Technology Integration Configuration
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path forโฆ
๐จ CVE-2026-13374
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13937.
This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13937.
This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Watchguard
WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in ConnectWise Technology Integration Configuration
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack pathโฆ
๐จ CVE-2026-13375
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13938.
This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-13938.
This issue affects Fireware OS 12.4 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Watchguard
WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in Autotask Technology Integration Configuration
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS. This vulnerability is an additional unmitigated attack path forโฆ
๐จ CVE-2026-13376
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS spamBlocker module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-1071.
This issue affects Fireware OS 12.0 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS spamBlocker module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-1071.
This issue affects Fireware OS 12.0 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Watchguard
WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in spamBlocker Module
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS spamBlocker module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-1071.
๐จ CVE-2026-13377
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS SIP Proxy module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-6947.
This issue affects Fireware OS 12.0 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS SIP Proxy module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-6947.
This issue affects Fireware OS 12.0 up to and including 12.12, 12.5 up to and including 12.5.18, and 2025.1 up to and including 2026.2.
๐@cveNotify
Watchguard
WatchGuard Firebox Stored Cross-Site-Scripting (XSS) Vulnerability in SIP Proxy Configuration
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS SIP Proxy module allows Stored XSS. This vulnerability is an additional unmitigated attack path for CVE-2025-6947.
๐จ CVE-2026-13383
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS ikestubd process could allow an authenticated privileged user to execute arbitrary code via a specially crafted requests to the Management Web UI.This vulnerability affects Fireware OS 12.1 up to and including 12.12 and 2025.1 up to and including 2026.2.
๐@cveNotify
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS ikestubd process could allow an authenticated privileged user to execute arbitrary code via a specially crafted requests to the Management Web UI.This vulnerability affects Fireware OS 12.1 up to and including 12.12 and 2025.1 up to and including 2026.2.
๐@cveNotify
Watchguard
WatchGuard Firebox ikestubd Out of Bounds Write Vulnerability
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS ikestubd process could allow an authenticated privileged user to execute arbitrary code via a specially crafted requests to the Management Web UI.
๐จ CVE-2026-14940
A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When
normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a
multivalued nested Relative Distinguished Name (RDN), the server can write past the
end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated
remote attacker can trigger this condition by sending an LDAP operation whose DN
reaches the DN normalization routine, such as a search with a crafted base DN. This
can corrupt heap memory and may cause denial of service.
๐@cveNotify
A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When
normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a
multivalued nested Relative Distinguished Name (RDN), the server can write past the
end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated
remote attacker can trigger this condition by sending an LDAP operation whose DN
reaches the DN normalization routine, such as a search with a crafted base DN. This
can corrupt heap memory and may cause denial of service.
๐@cveNotify
๐จ CVE-2026-14969
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
๐@cveNotify
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
๐@cveNotify
๐จ CVE-2025-12506
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
๐@cveNotify
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
๐@cveNotify