222 matches found
CVE-2026-58052 7-Zip - Mark-of-the-Web Bypass via RAR5 Alternate Data Stream Name Collision
7-Zip for Windows through 26.01 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched...
EUVD-2026-39972
7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched...
CVE-2026-53571
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...
CVE-2026-53571
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...
CVE-2026-53571 Vite: `server.fs.deny` bypass on Windows alternate paths
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...
Directory Traversal
Overview vite-plus is a The Unified Toolchain for the Web Affected versions of this package are vulnerable to Directory Traversal due to improper checks for file system paths on Windows platforms in isFileLoadingAllowed function. An attacker can obtain sensitive file contents by bypassing path...
Directory Traversal
Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal due to improper checks for file system paths on Windows platforms in isFileLoadingAllowed function. An attacker can obtain sensitive file contents by bypassing path...
vite: `server.fs.deny` bypass on Windows alternate paths
Summary The contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - the sensitive file...
GHSA-FX2H-PF6J-XCFF vite: `server.fs.deny` bypass on Windows alternate paths
Summary The contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - the sensitive file...
WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu aka Gamaredon and SHADOW-EARTH-066 aka...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the validatepathelementntfs function. An attacker can write arbitrary files and potentially execute code in the victim's user context by crafting malicious Git repositories with NTFS-hostile tree entries that are...
Astra Linux – Vulnerability in libgit2
A issue was discovered in libgit2 before versions 0.28.4 and 0.9x before version 0.99.0. path.c improperly handles equivalent filenames that exist due to NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352...
Unity Linux 20.1060e / 20.1070e Security Update: libgit2 (UTSA-2026-017582)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017582 advisory. An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. Th...
SUSE CVE-2026-43204
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce "ASoC: qcom: q6asm: handle the responses after closing"' attempted to ignore DSP responses arriving after a stream had been closed. However, those...
EUVD-2026-27763
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce "ASoC: qcom: q6asm: handle the responses after closing"' attempted to ignore DSP responses arriving after a stream had been closed. However, those...
CVE-2026-43204
Summary: CVE-2026-43204 affects the Linux kernel ASoC: qcom q6asm component, where DSP responses for closed data streams could still be processed, causing system lockups. Root cause: DSP responses arriving after stream closure were not unconditionally dropped. Fix: unconditionally drop all DSP re...
CVE-2026-43204 ASoC: qcom: q6asm: drop DSP responses for closed data streams
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce "ASoC: qcom: q6asm: handle the responses after closing"' attempted to ignore DSP responses arriving after a stream had been closed. However, those...
CVE-2026-43204
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce "ASoC: qcom: q6asm: handle the responses after closing"' attempted to ignore DSP responses arriving after a stream had been closed. However, those...
CVE-2026-43204
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce "ASoC: qcom: q6asm: handle the responses after closing"' attempted to ignore DSP responses arriving after a stream had been closed. However, those...
CVE-2026-43204 ASoC: qcom: q6asm: drop DSP responses for closed data streams
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce "ASoC: qcom: q6asm: handle the responses after closing"' attempted to ignore DSP responses arriving after a stream had been closed. However, those...