Vulnerabilities

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.

Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities.

A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. <br /> <br /> The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace.<br /> <br /> The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected.<br /> This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode.<br /> <br /> Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters.

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application&amp;#39;s privilege level and data access.

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

In JetBrains IntelliJ IDEA before 2024.3.7.1, <br /> 2025.1.7.1,<br /> 2025.2.6.2, <br /> 2025.3.4.1, <br /> 2026.1.1 reading arbitrary local files was possible via built-in web server

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely.<br /> <br /> The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand() function to return a number between 0 and 999-billion, and concatenating that result three times.<br /> <br /> The path name might be known or guessed by an attacker, especially for applications known to be written using Dancer with standard installation locations.<br /> <br /> The epoch time can be guessed by an attacker, and may be leaked in the HTTP header.<br /> <br /> The process id comes from a small set of numbers, and workers may have sequential process ids.<br /> <br /> The built-in rand() function is seeded with 32-bits and is considered unsuitable for security applications.<br /> <br /> Predictable session ids could allow an attacker to gain access to systems.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: some missing initializations on replay<br /> <br /> In several places in the code, we have a label to signify<br /> the start of the code where a request can be replayed if<br /> necessary. However, some of these places were missing the<br /> necessary reinitializations of certain local variables<br /> before replay.<br /> <br /> This change makes sure that these variables get initialized<br /> after the label.

LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely<br /> processes the parameter on the client side, allowing an attacker to execute arbitrary<br /> JavaScript in the context of the victim&amp;#39;s browser.<br /> An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.<br /> <br /> This issue was fixed in version 1.3.4.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen/privcmd: fix double free via VMA splitting<br /> <br /> privcmd_vm_ops defines .close (privcmd_close), but neither .may_split<br /> nor .open. When userspace does a partial munmap() on a privcmd mapping,<br /> the kernel splits the VMA via __split_vma(). Since may_split is NULL,<br /> the split is allowed. vm_area_dup() copies vm_private_data (a pages<br /> array allocated in alloc_empty_pages()) into the new VMA without any<br /> fixup, because there is no .open callback.<br /> <br /> Both VMAs now point to the same pages array. When the unmapped portion<br /> is closed, privcmd_close() calls:<br /> - xen_unmap_domain_gfn_range()<br /> - xen_free_unpopulated_pages()<br /> - kvfree(pages)<br /> <br /> The surviving VMA still holds the dangling pointer. When it is later<br /> destroyed, the same sequence runs again, which leads to a double free.<br /> <br /> Fix this issue by adding a .may_split callback denying the VMA split.<br /> <br /> This is XSA-487 / CVE-2026-31787