297 matches found
USN-8492-1 linux, linux-aws, linux-aws-fips, linux-gcp, linux-gcp-fips, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oracle, linux-realtime, linux-realtime-6.8 vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - MIPS architecture; - PowerPC architecture; - x86 architecture; - Block layer subsystem; -...
Malicious code in @webda-infra-ui/static-images (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24e3a5a5b3cabd78201cf327847094e9dab8bfcee7452d7665151ea8ddc75d93 No suspicious behaviors were identified in this package version. The tarball contains 2 files with no lifecycle scripts, no network calls, no...
CVE-2026-56272
Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database...
Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...
MAL-2026-5849 Malicious code in vite-configu-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7755490e331340729b0f6eab38cac0857e0aea337579950f610e728b300367fa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2026-47190 IPAM controller service account granted unnecessary full access to Secrets
IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal...
CVE-2026-11414
A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the...
CVE-2025-31974
HCL BigFix Service Management SM is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes...
CVE-2026-27662
Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser, potentially enabling the discovery of backdoors, performin...
Malicious code in evmchain-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6d325c67c3edd95dd9b9e24502f3c8d01369606c35e1231231383e34a24b2da7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise
A flaw was found in Keycloak. The cross-session verification proof is keyed only by local userId, idpAlias and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account...
PT-2026-40956
HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions...
MAL-2026-3515 Malicious code in @tallyui/connector-medusa (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3acb08c5699637240eec2741252206938cd0e0be4b997523e2100925456e2e39 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @tanstack/virtual-file-routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c95e413c2e182a7d35b0ec3ba9f2a979d63c77c1a7f20a6204059f7b66b433bc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
EUVD-2026-26862
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...
Weak Random Value Generation For Secrets (weak PRNG)
Spring Boot is vulnerable to the use of a weak pseudo-random number generator PRNG. The vulnerability is due to the use of predictable random value sources e.g., $random.value, $random.int, $random.long, which allows an attacker to guess or brute-force generated secrets and compromise application...
Malicious code in @usealloy/api-contract (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac2459ced40bf7d07428205c0322e09c951fdc50972f337b30508ad2ad867b37 The package @usealloy/api-contract was found to contain malicious code. Source: ghsa-malware...
Malicious code in magentaa11y (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 995b52a2411e3213a611e58f659a941136e8021a88e1d638a232018265d5c11a The package magentaa11y was found to contain malicious code. Source: ghsa-malware 1c1c14e542b99ac8e01a06fd61158c90ffe14fbedbf4834d97f38d65d477ebb5 An...
PT-2026-31804
Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on MX Series versions 24.4 releases before 24.4R2-S3 Juniper Networks Junos OS on MX Series versions 25.2 releases before 25.2R2 Description A Missing Authorization issue in the CLI of Juniper Networks Junos OS on MX...
USN-8159-1 linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - Cryptographic API; - Netfilter; - Network traffic control; CVE-2025-37849, CVE-2026-23060,...