Important: bind

Issue Overview: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries see:...

Important: bind

Issue Overview: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries see:...

Medium: python3

Issue Overview: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...

Important: python-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...

Important: python3-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...

Amazon Linux 2 : python3-tornado, --advisory ALAS2-2026-3213 (ALAS-2026-3213)

The version of python3-tornado installed on the remote host is prior to 5.0.2-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3213 advisory. Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limi...

Amazon Linux 2023 : bind, bind-chroot, bind-devel (ALAS2023-2026-1533)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1533 advisory. If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there...

Amazon Linux 2 : bind, --advisory ALAS2-2026-3226 (ALAS-2026-3226)

The version of bind installed on the remote host is prior to 9.11.4-26.P2. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3226 advisory. If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive...

Low: python3.12-pip

Issue Overview: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical...

Amazon Linux 2 : firefox, --advisory ALAS2FIREFOX-2026-055 (ALASFIREFOX-2026-055)

The version of firefox installed on the remote host is prior to 140.8.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2026-055 advisory. A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XM...

Amazon Linux 2023 : python3.11-pip, python3.11-pip-wheel (ALAS2023-2026-1531)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1531 advisory. When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation...

Amazon Linux 2 : gstreamer1-plugins-good, --advisory ALAS2-2026-3224 (ALAS-2026-3224)

The version of gstreamer1-plugins-good installed on the remote host is prior to 1.18.4-6. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3224 advisory. An out-of-bounds read in the WAV parser that can cause crashes for certain input files. CVE-2026-1940 Tenable has...

Amazon Linux 2023 : firefox (ALAS2023-2026-1518)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1518 advisory. A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML content with empty external parameter entities. This could lead to a NULL...

Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3219 (ALAS-2026-3219)

The version of thunderbird installed on the remote host is prior to 140.8.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3219 advisory. A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML...

Amazon Linux 2 : perl-YAML-Syck, --advisory ALAS2-2026-3216 (ALAS-2026-3216)

The version of perl-YAML-Syck installed on the remote host is prior to 1.27-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3216 advisory. YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high- severity heap buff...

Amazon Linux 2 : python-pyasn1, --advisory ALAS2-2026-3215 (ALAS-2026-3215)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3215 advisory. pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the pyasn1 library is vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding ASN.1 data with deeply neste...

Important: dotnet8.0

Issue Overview: Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. CVE-2026-26130 Affected Packages: dotnet8.0 Issue Correction: Run dnf update dotnet8.0 --releasever 2023.10.20260330 or dnf update --advisory...

Amazon Linux 2 : ImageMagick, --advisory ALAS2-2026-3211 (ALAS-2026-3211)

The version of ImageMagick installed on the remote host is prior to 6.9.10.97-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3211 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions...

Amazon Linux 2023 : aspnetcore-runtime-9.0, aspnetcore-runtime-dbg-9.0, aspnetcore-targeting-pack-9.0 (ALAS2023-2026-1506)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1506 advisory. Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. CVE-2026-26127 Allocation of resources without limits or throttling in ASP.NET Core allows an...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1524)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1524 advisory. Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 request...