Important: python-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...

Medium: libsodium

Issue Overview: libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalidpoint, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group...

Medium: gvfs

Issue Overview: A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode PASV response. The client unconditionally trusts this information and attempts to connect to the specified endpoint,...

Medium: libsodium

Issue Overview: libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalidpoint, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group...

Important: libtiff

Issue Overview: libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tifopen.c. CVE-2025-61143 libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function. CVE-2025-61144 Affected Packages: libtiff...

Important: compat-libtiff3

Issue Overview: libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tifopen.c. CVE-2025-61143 libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function. CVE-2025-61144 Affected Packages:...

Medium: compat-libtiff3

Issue Overview: libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c. CVE-2025-61145 A vulnerability was identified in LibTIFF 4.7.0. This issue affects the function May of the file tiffcrop.c of the component tiffcrop. The manipulation leads to memory...

Important: 389-ds-base

Issue Overview: A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the schemaattrenumcallback function within the schema.c file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for...

Important: postgresql

Issue Overview: Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. CVE-2026-2005 Affected Packages: postgresql Note: This...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3198 (ALAS-2026-3198)

The version of thunderbird installed on the remote host is prior to 140.8.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3198 advisory. Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox 148, Firefox...

Amazon Linux 2 : golist, --advisory ALAS2-2026-3202 (ALAS-2026-3202)

The version of golist installed on the remote host is prior to 0.10.1-10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3202 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix...

Amazon Linux 2 : exiv2, --advisory ALAS2-2026-3201 (ALAS-2026-3201)

The version of exiv2 installed on the remote host is prior to 0.27.0-4. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3201 advisory. Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata...

Amazon Linux 2 : golang, --advisory ALAS2-2026-3203 (ALAS-2026-3203)

The version of golang installed on the remote host is prior to 1.25.8-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3203 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix...

Amazon Linux 2 : 389-ds-base, --advisory ALAS2-2026-3205 (ALAS-2026-3205)

The version of 389-ds-base installed on the remote host is prior to 1.3.10.2-17. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3205 advisory. A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the schemaattrenumcallback...

Amazon Linux 2 : gimp, --advisory ALAS2GIMP-2026-012 (ALASGIMP-2026-012)

The version of gimp installed on the remote host is prior to 2.8.22-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2GIMP-2026-012 advisory. GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote...

Amazon Linux 2 : postgresql, --advisory ALAS2-2026-3193 (ALAS-2026-3193)

The version of postgresql installed on the remote host is prior to 9.2.24-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3193 advisory. Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user...

Amazon Linux 2 : amazon-cloudwatch-agent, --advisory ALAS2-2026-3191 (ALAS-2026-3191)

The version of amazon-cloudwatch-agent installed on the remote host is prior to 1.300064.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3191 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when...

Amazon Linux 2 : amazon-ssm-agent, --advisory ALAS2-2026-3207 (ALAS-2026-3207)

The version of amazon-ssm-agent installed on the remote host is prior to 3.3.3883.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3207 advisory. cmd/go: bypass of flag sanitization can lead to arbitrary code execution CVE-2025-61731 cmd/go: unexpected...

Amazon Linux 2 : lcms2, --advisory ALAS2-2026-3192 (ALAS-2026-3192)

The version of lcms2 installed on the remote host is prior to 2.6-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3192 advisory. A heap buffer overflow vulnerability has been identified in thesmooth2 in cmsgamma.c in lcms2-2.16 which allows a remote attacker to...

Amazon Linux 2 : tomcat, --advisory ALAS2TOMCAT9-2026-024 (ALASTOMCAT9-2026-024)

The version of tomcat installed on the remote host is prior to 9.0.115-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2026-024 advisory. mproper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from...