379 matches found
OESA-2026-2691 mongo-c-driver security update
mongo-c-driver is a project that includes two libraries: libmongoc, a client library written in C for MongoDB. libbson, a library providing useful routines related to building, parsing, and iterating BSON documents. Security Fixes: The MongoDB C Driver's Cyrus SASL integration performs unsafe...
PT-2026-53084
Name of the Vulnerable Software and Affected Versions 7-Zip for Windows versions prior to 26.02 Description 7-Zip fails to preserve the Mark-of-the-Web MotW when extracting a specially crafted RAR5 archive. The software uses a guard to suppress archive-supplied Zone.Identifier streams, but it onl...
GHSA-MWR2-WMGP-CRJ6 OpenBao's System Backend allows Unauthorized Management of the containing Namespace
Summary A user that is granted namespace management /sys/namespaces capabilities within a non-root namespace "the victim namespace" can abuse special handling of the literal path "root" in namespace path canonicalization to manage the victim namespace itself. Details Several endpoints under...
CVE-2026-48794
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may b...
CVE-2026-48794
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may b...
GHSA-R46F-3RPW-HXRV Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)
Impact The default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals e.g. http://127.0.0.1/, http://169.254.169.254/. The deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses — integer, hex, or octal, whi...
CVE-2026-49454
Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. Versions 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. The XMLDSig trust boundary was...
PT-2026-50796
Name of the Vulnerable Software and Affected Versions Relyra versions 1.0.0 through 1.1.0 Description Relyra is a SAML 2.0 Service Provider library for Elixir and Phoenix that accepts forged SAML signatures. This occurs because the SignatureValue is not cryptographically verified before the libra...
EulerOS Virtualization 2.13.1 : util-linux (EulerOS-SA-2026-2391)
According to the versions of the util-linux packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU Time-of-Check- Time-of-Use vulnerabilit...
CVE-2026-40987 Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem outside the configured local-directory with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through...
CVE-2026-40987
CVE-2026-40987 affects Spring Integration across multiple tracked branches (7.0.0–7.0.4, 6.5.0–6.5.8, 6.4.0–6.4.11, 6.3.0–6.3.14, 5.5.0–5.5.20). The connected documents describe a vulnerability where a malicious or compromised FTP/SFTP/SMB server can cause the client to write arbitrary files anyw...
cve-2026-40987 - HIGH - Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization
cve-2026-40987 - HIGH - Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization...
EulerOS 2.0 SP13 : util-linux (EulerOS-SA-2026-2317)
According to the versions of the util-linux packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU Time-of-Check- Time-of-Use vulnerability has been...
EulerOS 2.0 SP11 : util-linux (EulerOS-SA-2026-2268)
According to the versions of the util-linux packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A flaw was found in util-linux. Improper hostname canonicalization in the login1 utility, when invoked with the -h option, can modify the...
EulerOS 2.0 SP11 : util-linux (EulerOS-SA-2026-2231)
According to the versions of the util-linux packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A flaw was found in util-linux. Improper hostname canonicalization in the login1 utility, when invoked with the -h option, can modify the...
EulerOS Virtualization 2.12.1 : util-linux (EulerOS-SA-2026-2090)
According to the versions of the util-linux packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A vulnerability exists in util-linux package that allows access control bypass due to improper hostname...
EulerOS Virtualization 2.10.0 : util-linux (EulerOS-SA-2026-2065)
According to the versions of the util-linux packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A flaw was found in util-linux. Improper hostname canonicalization in the login1 utility, when invoked with the -h option, can...
EulerOS Virtualization 2.12.0 : util-linux (EulerOS-SA-2026-2115)
According to the versions of the util-linux packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A vulnerability exists in util-linux package that allows access control bypass due to improper hostname...
Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : PHP vulnerabilities (USN-8336-1)
The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8336-1 advisory. Aleksey Solovev and Nikita Sveshnikov discovered that PHP improperly handled NUL bytes when preparing SQL queries in the...
OPENSUSE-SU-2026:20864-1 Security update for evolution-data-server
This update for evolution-data-server fixes the following issues: - CVE-2026-2604: Canonicalize path before local cache file removal. bsc1258307...