Improper Authentication

Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Information Exposure

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

Information Exposure

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

GHSA-2RGJ-GX5X-F62W ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model

The distributed pixel cache was originally designed to operate without a challenge–response authentication model. However, given today’s heightened security expectations, we have changed our implementation...

ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model

The distributed pixel cache was originally designed to operate without a challenge–response authentication model. However, given today’s heightened security expectations, we have changed our implementation...

BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks

Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actu...

PYSEC-2026-161 BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks

Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actu...

EUVD-2026-31424

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5...

CVE-2026-25608

CVE-2026-25608 (STER) : The vulnerability involves unencrypted TCP traffic used by STER to transmit data, enabling a Man-In-The-Middle attacker to obtain sensitive information such as passwords, personal data, or authentication tokens. The underlying risk is data confidentiality loss during netwo...

CVE-2026-25608 Lack of traffic encryption in STER

STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5...

BIT-MEMCACHED-2026-47784

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by saslserveruserdbcheckpass...

BIT-MEMCACHED-2026-47783

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by saslserveruserdbcheckpass...

Allocation of Resources Without Limits or Throttling

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the public key parsers. An attacker can exhaust CPU resources by submitting crafted RSA or DSA public keys with excessively larg...

Improper Authentication

Overview github.com/golang/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Improper Authentication due to the Verify method not checking the User Presence flag in FIDO/U2F security key types. An attacker can perform unauthorized authentication by generati...

Improper Authentication

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Improper Authentication due to the Verify method not checking the User Presence flag in FIDO/U2F security key types. An attacker can perform unauthorized authentication by generating...

MAL-2026-4733 Malicious code in wrld-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...

Malicious code in wrld-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...

UBUNTU-CVE-2026-39828

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError...

CVE-2026-42508

CVE-2026-42508 concerns revocation checks for a CA SignatureKey. The fix adds revocation checks for both the CA 'key' and 'key.SignatureKey' (prevents bypass). The CVE is rated CRITICAL (CVSS 3.1: 9.1, Network, no user interaction). Exploitation details are not provided in the documents; mitigati...

CVE-2026-39829

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public...