Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free<br /> <br /> Currently we execute `SET_NETDEV_DEV(dev, &amp;priv-&gt;lowerdev-&gt;dev)` for<br /> the virt_wifi net devices. However, unregistering a virt_wifi device in<br /> netdev_run_todo() can happen together with the device referenced by<br /> SET_NETDEV_DEV().<br /> <br /> It can result in use-after-free during the ethtool operations performed<br /> on a virt_wifi device that is currently being unregistered. Such a net<br /> device can have the `dev.parent` field pointing to the freed memory,<br /> but ethnl_ops_begin() calls `pm_runtime_get_sync(dev-&gt;dev.parent)`.<br /> <br /> Let&amp;#39;s remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0<br /> Read of size 2 at addr ffff88810cfc46f8 by task pm/606<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl+0x4d/0x70<br /> print_report+0x170/0x4f3<br /> ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> kasan_report+0xda/0x110<br /> ? __pm_runtime_resume+0xe2/0xf0<br /> ? __pm_runtime_resume+0xe2/0xf0<br /> __pm_runtime_resume+0xe2/0xf0<br /> ethnl_ops_begin+0x49/0x270<br /> ethnl_set_features+0x23c/0xab0<br /> ? __pfx_ethnl_set_features+0x10/0x10<br /> ? kvm_sched_clock_read+0x11/0x20<br /> ? local_clock_noinstr+0xf/0xf0<br /> ? local_clock+0x10/0x30<br /> ? kasan_save_track+0x25/0x60<br /> ? __kasan_kmalloc+0x7f/0x90<br /> ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0<br /> genl_family_rcv_msg_doit+0x1e7/0x2c0<br /> ? __pfx_genl_family_rcv_msg_doit+0x10/0x10<br /> ? __pfx_cred_has_capability.isra.0+0x10/0x10<br /> ? stack_trace_save+0x8e/0xc0<br /> genl_rcv_msg+0x411/0x660<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> ? __pfx_ethnl_set_features+0x10/0x10<br /> netlink_rcv_skb+0x121/0x380<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> ? __pfx_netlink_rcv_skb+0x10/0x10<br /> ? __pfx_down_read+0x10/0x10<br /> genl_rcv+0x23/0x30<br /> netlink_unicast+0x60f/0x830<br /> ? __pfx_netlink_unicast+0x10/0x10<br /> ? __pfx___alloc_skb+0x10/0x10<br /> netlink_sendmsg+0x6ea/0xbc0<br /> ? __pfx_netlink_sendmsg+0x10/0x10<br /> ? __futex_queue+0x10b/0x1f0<br /> ____sys_sendmsg+0x7a2/0x950<br /> ? copy_msghdr_from_user+0x26b/0x430<br /> ? __pfx_____sys_sendmsg+0x10/0x10<br /> ? __pfx_copy_msghdr_from_user+0x10/0x10<br /> ___sys_sendmsg+0xf8/0x180<br /> ? __pfx____sys_sendmsg+0x10/0x10<br /> ? __pfx_futex_wait+0x10/0x10<br /> ? fdget+0x2e4/0x4a0<br /> __sys_sendmsg+0x11f/0x1c0<br /> ? __pfx___sys_sendmsg+0x10/0x10<br /> do_syscall_64+0xe2/0x570<br /> ? exc_page_fault+0x66/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> This fix may be combined with another one in the ethtool subsystem:<br /> https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fuse: reject oversized dirents in page cache<br /> <br /> fuse_add_dirent_to_cache() computes a serialized dirent size from the<br /> server-controlled namelen field and copies the dirent into a single<br /> page-cache page. The existing logic only checks whether the dirent fits<br /> in the remaining space of the current page and advances to a fresh page<br /> if not. It never checks whether the dirent itself exceeds PAGE_SIZE.<br /> <br /> As a result, a malicious FUSE server can return a dirent with<br /> namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB<br /> page systems this causes memcpy() to overflow the cache page by 24 bytes<br /> into the following kernel page.<br /> <br /> Reject dirents that cannot fit in a single page before copying them into<br /> the readdir cache.

A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.04.10 is able to mitigate this issue. The identifier of the patch is 0072d3488ae5b8d922d3ee87458d829993742a32. It is recommended to upgrade the affected component.

A vulnerability was detected in Exiftool up to 13.53. Impacted is the function Process_mrld of the file lib/Image/ExifTool/GM.pm of the component JPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results in code injection. Attacking locally is a requirement. Upgrading to version 13.54 is recommended to address this issue. The patch is identified as 5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade the affected component. The fix in the source code mentions: "[J]ust to be safe, probably never happen".

A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the &amp;#39;add_plugins_page&amp;#39; and &amp;#39;add_themes_page&amp;#39; functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the &amp;#39;handle_module_actions&amp;#39; function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Apache MINA&amp;#39;s AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.<br /> <br /> <br /> <br /> <br /> The fix checks if the class is present in the accepted class filter before calling Class.forName(). <br /> <br /> <br /> <br /> <br /> <br /> <br /> Affected versions are Apache MINA 2.1.0

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:<br /> <br /> <br /> <br /> <br /> The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.<br /> <br /> <br /> <br /> <br /> Affected versions are Apache MINA 2.1.0

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.<br /> <br /> Users are recommended to upgrade to version 3.2.2, which fixes this issue.

The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the &amp;#39;temp-login-token&amp;#39; GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP&amp;#39;s empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key &amp;#39;_temporary_login_token&amp;#39;, allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.