AlmaLinux 8 : nginx:1.24 (ALSA-2026:18041)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:18041 advisory. nginx: NGINX: Arbitrary Code Execution Vulnerability CVE-2026-42945 Tenable has extracted the preceding description block directly from the AlmaLinux security...

MiracleLinux 9 : nginx-1.20.1-24.el9_7.3.ML.1 (AXSA:2026-640:03)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2026-640:03 advisory. nginx: NGINX: Arbitrary Code Execution Vulnerability CVE-2026-42945 Tenable has extracted the preceding description block directly from the MiracleLinux...

MiracleLinux 8 : nginx:1.24 (AXSA:2026-645:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2026-645:01 advisory. nginx: NGINX: Arbitrary Code Execution Vulnerability CVE-2026-42945 Tenable has extracted the preceding description block directly from the MiracleLinux...

RHEL 10 : systemd (RHSA-2026:19068)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:19068 advisory. The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive...

RHEL 10 : nginx (RHSA-2026:19159)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:19159 advisory. nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security...

RHEL 10 : python3.12 (RHSA-2026:19064)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19064 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

MLFlow Creates a Temporary File With Insecure Permissions

In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...

CVE-2026-4137 Incomplete Fix for CVE-2025-10279: Insecure Temporary Directory Permissions in mlflow/mlflow

In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...

EUVD-2026-30807

In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...

CVE-2026-8838

Unsafe use of Python's eval on server-received data in the vectorin function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14...

CVE-2026-47092 Claude HUD 0.0.12 Arbitrary Command Execution via COMSPEC Environment Variable

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version...

[SECURITY] [DSA 62801] netatalk security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6280-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 18, 2026 https://www.debian.org/security/faq -...

ChromaDB Python project has a pre-authentication code injection vulnerability

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trustremotecode set to true in...

RLSA-2026:18030 Important: ruby:3.3 security update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fixes: erb: ERB: Arbitrary code execution via deserialization bypass CVE-2026-41316 For more details about the security issues, including...

nginx:1.24 security update

An update is available for nginx, module.nginx. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list nginx is a web and proxy server supporting HTTP and other...

RLSA-2026:18041 Critical: nginx:1.24 security update

nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fixes: nginx: NGINX: Arbitrary Code Execution Vulnerability CVE-2026-42945 For more details about the security issues, including the impact, a CVSS...

Arbitrary Code Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the calculation parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary...

Docker: `PUT /containers/{id}/archive` executes container binary on the host

Summary When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon host root privileges. Details When handling PUT /containers/id/archive requests with compressed archives, the daemon decompresses them using external system binaries. Due to...

GHSA-X86F-5XW2-FM2R Docker: `PUT /containers/{id}/archive` executes container binary on the host

Summary When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon host root privileges. Details When handling PUT /containers/id/archive requests with compressed archives, the daemon decompresses them using external system binaries. Due to...

CVE-2026-45829

CVE-2026-45829 affects the ChromaDB Python project (version 1.0.0 and later). It is a pre-authentication code-injection vulnerability that allows an unauthenticated attacker to execute arbitrary code on the server by supplying a malicious model repository and setting trust_remote_code to true via...