6 days 20 hours ago
It was discovered that Roundcube Webmail mishandled Punycode xn-- domain names.
An attacker could possibly use this issue to cause a homograph attack. (CVE-2019-15237)
It was discovered that Roundcube Webmail did not properly sanitize certain
attributes when handling CSS within HTML messages and certain SVG attributes.
An attacker could possibly use this issue to cause a cross-site scripting attack.
(CVE-2024-38356, CVE-2024-38357)
It was discovered that Roundcube Webmail did not properly sanitize certain HTML
attributes when rendering e-mail messages. An attacker could possibly use this
issue to cause a cross-site scripting attack. (CVE-2024-42008)
It was discovered that Roundcube Webmail did not properly filter certain CSS token
sequences within rendered e-mail messages. An attacker could possibly use this
issue to obtain sensitive information. (CVE-2024-42010)
It was discovered that Roundcube Webmail did not properly treat an SVG
tag as an image source within its HTML sanitizer. An attacker could possibly use
this issue to bypass remote image blocking to track email open actions or
potentially bypass access control. (CVE-2026-25916)
It was discovered that Roundcube Webmail did not properly handle comments within
Cascading Style Sheets (CSS). An attacker could possibly use this issue to perform
a CSS injection attack. (CVE-2026-26079)
6 days 20 hours ago
Qualys discovered that several vulnerabilities existed in the AppArmor
Linux kernel Security Module (LSM). An unprivileged local attacker could
use these issues to load, replace, and remove arbitrary AppArmor profiles
causing denial of service, exposure of sensitive information (kernel
memory), local privilege escalation, or possibly escape a container.
(LP: #2143853, CVE-2026-23268, CVE-2026-23269, CVE-2026-23403,
CVE-2026-23404, CVE-2026-23405, CVE-2026-23406, CVE-2026-23407,
CVE-2026-23408, CVE-2026-23409, CVE-2026-23410, CVE-2026-23411)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM64 architecture;
- x86 architecture;
- Cryptographic API;
- GPU drivers;
- I2C subsystem;
- BTRFS file system;
- XFRM subsystem;
- Padata parallel execution mechanism;
- IPv4 networking;
- IPv6 networking;
- MAC80211 subsystem;
- Netfilter;
- Network traffic control;
- SMC sockets;
(CVE-2021-47599, CVE-2022-48875, CVE-2022-49046, CVE-2022-49698,
CVE-2024-46816, CVE-2024-49927, CVE-2024-56640, CVE-2025-21726,
CVE-2025-21780, CVE-2025-37849, CVE-2025-40019, CVE-2025-40215,
CVE-2026-23060, CVE-2026-23074)
6 days 22 hours ago
Christos Papakonstantinou discovered that the OpenSSH scp tool incorrectly
handled the legacy scp protocol (-O) option. This could result in certain
files being installed setuid or setgid, contrary to expectations.
(CVE-2026-35385)
Florian Kohnhäuser discovered that OpenSSH incorrectly handled shell
metacharacters in usernames within a command line. When untrusted usernames
and non-default configurations using % in ssh_config are being used, an
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-35386)
Christos Papakonstantinou discovered that OpenSSH incorrectly handled
parsing the PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms
options. This could result in unintended ECDSA algorithms being used,
contrary to expectations. (CVE-2026-35387)
Michalis Vasileiadis discovered that OpenSSH incorrectly handled
proxy-mode multiplexing sessions. This could result in no confirmation
being asked, contrary to expectations. (CVE-2026-35388)
Vladimir Tokarev discovered that OpenSSH incorrectly handled certificates
with the principal name containing a comma character when using user-trusted
CA keys in authorized_keys and an authorized_keys principals="" option
that lists more than one principal. This could result in inappropriate
principal matching, contrary to expectations. (CVE-2026-35414)