CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule

Impact The extin upload validation rule checked the MIME-derived guessed extension instead of the client-provided filename extension. As a result, an uploaded file named shell.php containing GIF-like content could pass validation such as:...

CVE-2026-46529

A flaw was found in Atril, Evince and Xreader. A malicious link inside a specially crafted PDF document can cause arbitrary code execution when clicked due to improper quoting of attacker-controlled PDF link-destination fields during remote go-to /GoToR actions. This issue allows an attacker to...

SUSE-SU-2026:2378-1 Security update for webkit2gtk3

This update for webkit2gtk3 fixes the following issues Update to version 2.52.4: - CVE-2026-28847: processing maliciously crafted web content may lead to an unexpected process crash or arbitrary code execution due to a heap buffer overflow bsc1267506. - CVE-2026-28883: processing maliciously...

CVE-2026-8637

A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges...

CVE-2026-41003

An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10;...

PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing

Summary PDM automatically loads project-local plugin paths from .pdm-plugins during Core initialization. Because this path is added via site.addsitedir, attacker-controlled .pth files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins...

USN-8422-1 mistral vulnerability

Eduardo Gonzalez Gutierrez and Arnaud Morin discovered that Mistral did not properly enforce access policies on some API endpoints. An attacker could possibly execute arbitrary code on a Mistral worker and possibly extract sensitive data including service credentials from it...

libyang security update

An update is available for libyang. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Libyang is YANG data modeling language parser and toolkit written and...

cockpit-image-builder security update

An update is available for cockpit-image-builder. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The image-builder-frontend generates custom images suitable fo...

Vulnerabilities present in Adobe Acrobat Reader

Adobe has identified vulnerabilities in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651, and earlier versions. These vulnerabilities include an out-of-bounds write vulnerability and multiple Use After Free errors. These errors occur when processing certain malformed or maliciously...

Malicious code in tailwind-typography-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29345b97ddc8c5fe985d1a69d53db15e4126052929267a584b463e94f43b0bc3 [email protected] impersonates the legitimate @tailwindcss/typography Tailwind CSS plugin confusable name, copied plugin export shape,...

libyang security update

An update is available for libyang. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Libyang is YANG data modeling language parser and toolkit written and providi...

RLSA-2026:24545 Important: libyang security update

Libyang is YANG data modeling language parser and toolkit written and providing API in C. Security Fixes: libyang: libyang: Denial of Service or arbitrary code execution via maliciously crafted LYB binary blob CVE-2026-44673 For more details about the security issues, including the impact, a CVSS...

[SECURITY] [DSA 6338-1] libdbi-perl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6338-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 11, 2026 https://www.debian.org/security/faq -...

CVE-2026-46432

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trustremotecode=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no...

rsync: Rsync: Use-after-free vulnerability in extended attribute handling

A flaw was found in rsync. When rsync is configured to handle extended attributes using the -X or --xattrs option, a remote attacker can exploit a use-after-free vulnerability. This occurs because the receivexattr function incorrectly processes an untrusted length value during a sorting operation...

Ubuntu 18.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : shell-quote vulnerability (USN-8410-1)

The remote Ubuntu 18.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8410-1 advisory. Akshat Sinha discovered that shell-quote improperly validated object-token inputs. An attacker could possibly use this...

PT-2026-48681

Summary PDM automatically loads project-local plugin paths from .pdm-plugins during Core initialization. Because this path is added via site.addsitedir, attacker-controlled .pth files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins...

PT-2026-48705

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0495 Description A Vimscript code injection exists in the s:NetrwBookHistSave function within the netrw plugin. The issue occurs when serializing browsed directory paths to the history file /.vim/.netrwhist. A directo...

CyberArk Idira Privileged Session Manager 路径遍历漏洞

CyberArk Idira Privileged Session Manager is a privileged session management platform developed by the American company CyberArk. Versions of CyberArk Idira Privileged Session Manager prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5 contained a path traversal vulnerability. This vulnerability stemmed...