Fedora 43 : python-uv-build / rust-astral-tokio-tar / etc (2026-f8487121bd)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-f8487121bd advisory. Update uv and python-uv-build to 0.11.5, fixing GHSA-3cv2-h65g-fgmm and GHSA-4gg8-gxpx-9rph. Tenable has extracted the preceding description block directly...

Fedora 45 : python-uv-build / rust-astral_async_http_range_reader / etc (2026-588c639071)

The remote Fedora 45 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-588c639071 advisory. Update uv and python-uv-build to 0.11.5, fixing ee GHSA-3cv2-h65g-fgmm and GHSA-4gg8-gxpx-9rph. Tenable has extracted the preceding description block directl...

CVE-2026-44349

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349 Daptin fuzzy search injects unvalidated column name into raw SQL

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349 Daptin fuzzy search injects unvalidated column name into raw SQL

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-44349

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

daptin SQL注入漏洞

Daptin is an open-source content management system developed by Daptin developers. Versions of Daptin prior to 0.11.5 had a SQL injection vulnerability. This vulnerability stemmed from the processFuzzySearch function, which splits the column parameters provided by the user using commas and insert...

CVE-2026-33353 Soft Serve: Authenticated repo import can clone server-local private repositories

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. Thi...

CVE-2026-32829 lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer

lz4flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values...

lz4_flex 安全漏洞

lz4flex is a high-performance LZ4 compression library written by PSeitz’s individual developers in the Rust language. Versions of lz4flex prior to 0.11.5 and 0.12.0 contain security vulnerabilities. These vulnerabilities stem from improper decompression of LZ4 data, leading to out-of-bounds read...

[SECURITY] Fedora 36 Update: pcs-0.11.5-2.fc36

pcs is a corosync and pacemaker configuration tool. It permits users to easily view, modify and create pacemaker based clusters...

apkutils (>=1.0.2 <=1.0.4), autoit-ripper (>=1.0.0 <=1.0.1) +6 more potentially affected by CVE-2022-38307 via lief (>=0.10.1 <=0.11.5)

lief PYPI version =0.10.1, =1.0.2, =1.0.0, =0.0.0, =0.0.1, =1.0.0, =1.0.1 - pyqbdl =0.1.0 - pysigtool =0.1.4 Source cves: CVE-2022-38307 Source advisory: OSV:PYSEC-2022-275...

GHSA-77CR-6GR8-7RR9 Use After Free in HashiCorp Nomad

HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6...

-tompan-reacttemplate (>=1.0.1 <=1.1.0), 0x0.icu.anima (=0.1.0) +5585 more potentially affected by CVE-2021-23434 via object-path (>=0.0.1 <=0.11.5)

object-path NPM version =0.0.1, =1.0.1, =8.4.2, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =1.0.0, =0.0.1, =0.0.22 - @0soft/zero-material-ui =0.0.23-alpha.3 and more Source cves: CVE-2021-23434 Source advisory: OSV:GHSA-V39P-96QG-C8RF...

UBUNTU-CVE-2020-28724

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL...

CVE-2020-27195

HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6...

PT-2020-16658 · Hashicorp · Nomad Enterprise +1

Name of the Vulnerable Software and Affected Versions: HashiCorp Nomad and Nomad Enterprise versions 0.9.0 through 0.12.5 Description: The client file sandbox feature in HashiCorp Nomad and Nomad Enterprise can be subverted using either the template or artifact stanzas. This issue is related to a...

UBUNTU-CVE-2020-15256

A prototype pollution vulnerability has been found in object-path = 0.11.0 is used, which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is n...

CVE-2020-15256

A prototype pollution vulnerability has been found in object-path = 0.11.0 is used, which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is n...

CVE-2020-15256

A prototype pollution vulnerability has been found in object-path = 0.11.0 is used, which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is n...