Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: stm32: dmamux: fix device leak on route allocation<br /> <br /> Make sure to drop the reference taken when looking up the DMA mux<br /> platform device during route allocation.<br /> <br /> Note that holding a reference to a device does not prevent its driver<br /> data from going away so there is no point in keeping the reference.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: sh: rz-dmac: fix device leak on probe failure<br /> <br /> Make sure to drop the reference taken when looking up the ICU device<br /> during probe also on probe failures (e.g. probe deferral).

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> counter: interrupt-cnt: Drop IRQF_NO_THREAD flag<br /> <br /> An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as<br /> CONFIG_PROVE_RAW_LOCK_NESTING warns:<br /> =============================<br /> [ BUG: Invalid wait context ]<br /> 6.18.0-rc1+git... #1<br /> -----------------------------<br /> some-user-space-process/1251 is trying to lock:<br /> (&amp;counter-&gt;events_list_lock){....}-{3:3}, at: counter_push_event [counter]<br /> other info that might help us debug this:<br /> context-{2:2}<br /> no locks held by some-user-space-process/....<br /> stack backtrace:<br /> CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT<br /> Call trace:<br /> show_stack (C)<br /> dump_stack_lvl<br /> dump_stack<br /> __lock_acquire<br /> lock_acquire<br /> _raw_spin_lock_irqsave<br /> counter_push_event [counter]<br /> interrupt_cnt_isr [interrupt_cnt]<br /> __handle_irq_event_percpu<br /> handle_irq_event<br /> handle_simple_irq<br /> handle_irq_desc<br /> generic_handle_domain_irq<br /> gpio_irq_handler<br /> handle_irq_desc<br /> generic_handle_domain_irq<br /> gic_handle_irq<br /> call_on_irq_stack<br /> do_interrupt_handler<br /> el0_interrupt<br /> __el0_irq_handler_common<br /> el0t_64_irq_handler<br /> el0t_64_irq<br /> <br /> ... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an<br /> alternative to switching to raw_spinlock_t, because the latter would limit<br /> all potential nested locks to raw_spinlock_t only.

*** Pendiente de traducción *** The SupportCandy – Helpdesk &amp; Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the &amp;#39;add_reply&amp;#39; function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the &amp;#39;description_attachments&amp;#39; parameter, re-associating those files to their own tickets and removing access from the original owners.

*** Pendiente de traducción *** The SupportCandy – Helpdesk &amp; Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

*** Pendiente de traducción *** The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.

*** Pendiente de traducción *** The Ajax Load More – Infinite Scroll, Load More, &amp; Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts.

*** Pendiente de traducción *** The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter.

*** Pendiente de traducción *** HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.

*** Pendiente de traducción *** AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application&amp;#39;s system privileges.

*** Pendiente de traducción *** Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the &amp;#39;sidx&amp;#39; parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts.

*** Pendiente de traducción *** Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.