Oracle Linux 8 : kernel (ELSA-2026-23258)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-23258 advisory. - smb: client: reject userspace cifs.spnego descriptions Paulo Alcantara RHEL-178938 CVE-2026-46243 - smb: client: fix OOB reads parsing symlink error response...

CVE-2020-25900

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. The client side was changed in 2019 to encrypt that database...

kernel security update

4.18.0-553.129.1 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and...

ROS-20260605-73-0106

The vulnerability of Mozilla Firefox, Firefox ESR, and the email client Thunderbird relates to reading data beyond the buffer in memory. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

CVE-2020-25900

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. The client side was changed in 2019 to encrypt that database...

ROS-20260605-73-0103

Vulnerability of WebRTC component: The networking functions of Mozilla Firefox, Firefox ESR, and the email client Thunderbird are vulnerable due to the execution of operations outside of the buffer in memory. Exploiting this vulnerability can allow attackers to compromise the confidentiality,...

PT-2026-46941

Name of the Vulnerable Software and Affected Versions X.Org X server affected versions not specified Xwayland affected versions not specified Description A use-after-free flaw exists in the SyncChangeCounter function. A client that establishes multiple SyncCounters can trigger this condition by...

ROS-20260605-73-0048

The vulnerability of the WebRender component in Mozilla Firefox, Firefox ESR, and the email client Thunderbird is related to the use of memory after it is freed. Exploiting this vulnerability could allow an attacker to cause a service failure...

PT-2026-46940

Name of the Vulnerable Software and Affected Versions X.Org X server affected versions not specified Xwayland affected versions not specified Description A use-after-free flaw exists in the FreeCounter function. This occurs when a client establishes multiple SyncCounters and awaits their triggers...

Security update for keybase-client (important)

openSUSE security update: security update for keybase-client ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20902-1 Rating: important References: bsc1253563 bsc1253864 bsc1254023 bsc1258591 bsc1260696 bsc1266158 bsc1266596 Cross-References:...

RockyLinux 10 : go-fdo-client and go-fdo-server (RLSA-2026:22141)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:22141 advisory. crypto/tls: Unexpected session resumption in crypto/tls CVE-2025-68121 crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certifica...

PT-2026-46956

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. The client side was changed in 2019 to encrypt that database...

PT-2026-47027

Name of the Vulnerable Software and Affected Versions UDS Identity Config versions 0.11.0 through 0.26.0 Description A logic error exists in the client-kubernetes-secret Keycloak client authenticator. This error causes the submitted client secret to be overwritten with the mounted Kubernetes secr...

USN-8387-1 inetutils vulnerabilities

It was discovered that the Inetutils telnet daemon incorrectly handled the CREDENTIALSDIRECTORY environment variable. An attacker could possibly use this issue to escalate privileges. CVE-2026-28372 It was discovered that the Inetutils telnet daemon did not properly validate buffer bounds when...

Exploit for Use After Free in Redis

redis-cve-2026-23479-check A safe, read-only version chec...

GHSA-XGX4-4H9W-53PV AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

Summary This report covers the client-triggered DoQ forwarding path in: - dnsproxy v0.81.2 adguard/dnsproxy:v0.81.2 - AdGuard Home v0.107.74 adguard/adguardhome:latest, image version label v0.107.74 The issue was reproduced on 2026-04-25 with the products configured through their documented DoQ...

EUVD-2026-31998

epa4all-client: Unauthenticated REST API for Patient Record Writes...

GHSA-C82X-F4XR-QV33 epa4all-client: Unauthenticated REST API for Patient Record Writes

Impact Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment e.g., following the production Docker example in the README, this is exploitable from the local network without...

kernel: Linux kernel: smb: client: reject userspace cifs.spnego descriptions

A privilege escalation vulnerability was found in the Linux kernel's CIFS client implementation. This could allow a local attacker to impersonate other users, bypass authentication in SMB mount operations, and potentially gain unauthorized access to network file shares or escalate privileges...

Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...