XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in the KML and GPX export functionality. An attacker can corrupt the file structure and spoof exported location data by creating a device with a crafted name that injects XML content into the exported files. Remediation...

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

PT-2026-37033

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

CVE-2025-13763

Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs...

EUVD-2025-209564

Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs...

CVE-2025-13763 Libopensc: opensc: multiple uses of uninitialized variable

Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs...

CVE-2025-13763

Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs Mitigation To mitigate this issue, avoid...

UBUNTU-CVE-2025-49010

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that wou...

UBUNTU-CVE-2025-66215

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow WRITE in card-oberthur. The attack requires crafted USB device or smart card that...

CVE-2025-66215

OpenSC before 0.27.0 is affected by a stack-buffer-overflow WRITE in card-oberthur. An attacker with physical access can trigger it by presenting a crafted USB device or smart card that replies to APDUs with specially crafted responses. The issue is mitigated by upgrading to version 0.27.0, which...

CVE-2026-23365

A flaw was found in the Linux kernel's kalmia USB driver. This vulnerability occurs because the driver does not properly validate the number and types of USB endpoints when a device is connected. A local attacker with a specially crafted malicious USB device could exploit this flaw, causing the...

kernel: Linux kernel ALSA USB audio driver: Buffer overflow leading to information disclosure and denial of service

A flaw was found in the ALSA USB audio driver of the Linux kernel. This vulnerability, a buffer overflow, occurs when the size of the Pulse-Code Modulation PCM stream data packets exceeds the maximum allowed by the USB descriptor. A local attacker could exploit this by providing specially crafted...

CVE-2025-15543

Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files...

CVE-2025-15543

Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files...

PT-2026-5322

Name of the Vulnerable Software and Affected Versions VX800v version 1.0 Description A flaw exists in the USB HTTP access path that results in improper link resolution. This allows a specially crafted USB device to reveal the root filesystem contents, granting an attacker with physical access...

ROS-20260129-73-0011

A vulnerability in the AVRCP protocol implementation of the Bluetooth protocol stack for Linux BlueZ is related to reading beyond memory buffer boundaries. Exploitation of the vulnerability could allow an attacker acting remotely to bypass existing security restrictions by using a specially craft...

CVE-2025-70999

A GPU device-ID validation flaw in the flow.cuda.getdevicecapability component of OneFlow v0.9.0 allows attackers to cause a Denial of Service DoS via a crafted device ID...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index via improper validation in the flow.cuda.getdevicecapability function. An attacker can cause the application to crash or become unresponsive by supplying a specially crafted device ID. Remediation Ther...

CVE-2025-70999

A GPU device-ID validation flaw in the flow.cuda.getdevicecapability component of OneFlow v0.9.0 allows attackers to cause a Denial of Service DoS via a crafted device ID...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001653)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001653 advisory. The usbdestroyconfiguration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number o...