CVE-2026-41235

CVE-2026-41235 affects Froxlor 2.3.6 where system.available_shells is used to present allowed shells but not enforced by server-side Ftps::add/ Ftps::update. An authenticated customer with shell delegation can submit an arbitrary shell (e.g., /bin/bash); with nssextrausers integration this shell ...

Incorrect Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Incorrect Authorization via the Ftps::add and Ftps::update functions. An attacker can gain unauthorized shell access and escalate privileges by submitting an arbitrary shell value...

Linux Distros Unpatched Vulnerability : CVE-2026-43000

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the memb...

GHSA-QP9X-WP8F-QGJJ tuf has platform-dependent delegation path matching

DelegatedRole.istargetinpathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern. Python's fnmatch.fnmatch calls os.path.normcase on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts os.pat...

SUSE-SU-2026:21913-1 Security update for unbound

This update for unbound fixes the following issues - CVE-2026-32792: Packet of death with DNSCrypt bsc1265583. - CVE-2026-33278: Possible remote code execution during DNSSEC validation bsc1265587. - CVE-2026-40622: "Ghost domain name" variant bsc1265581. - CVE-2026-41292: Parsing a long list of...

CVE-2026-43000

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token...

PT-2026-47224

DelegatedRole. is target in pathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern. Python's fnmatch.fnmatch calls os.path.normcase on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts...

PT-2026-44465

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions prior to 29.0.2 Description A privilege escalation issue exists where an attacker with a member role on a project can escalate their privileges to admin. This is achieved by chaining unrestricted application...

PT-2026-42828

Name of the Vulnerable Software and Affected Versions PCManFM-Qt versions 1.1.0 and later Description An issue exists where PCManFM-Qt delegates to a different program based on file type without user confirmation when a regular file path is passed as a URI in the...

CVE-2026-42960

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: NFSD: Define actions for the new timedeleg FATTR4 attributes. NFSv4 clients will not send legitimate GETATTR requests for these new attributes, as they are intended to be used only with CBGETATTR and SETATTR. However, NFSD mus...

Astra Linux - уязвимость в linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: nfsd: fixed a use-after-free issue due to delegation race conditions. A delegation break could occur as soon as we call vfssetlease. A delegation break triggers a callback, which immediately adds the delegation to delrecalllru in...

Astra Linux - уязвимость в curl

A authentication bypass vulnerability exists in libcurl version 8.0.0, particularly in the connection reuse feature. This vulnerability allows for the reuse of previously established connections with incorrect user permissions, due to a failure to check for changes in the CURLOPTGSSAPIDELEGATION...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: nfsd: The flag SCSTATUSFREEABLE is now allowed when searching via nfs4lookupstateid. The pynfs DELEG8 test fails when run against nfsd. It acquires a delegation and then waits for the lease time out. It then attempts to use the...

Astra Linux - уязвимость в unbound

NLnet Labs Unbound, including version 1.16.1, is vulnerable to a new type of “ghost domain names” attack. The vulnerability operates by targeting an Unbound instance. When the cached delegation information is about to expire, Unbound queries for a rogue domain name. The rogue nameserver delays th...

Astra Linux - уязвимость в heimdal

All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11, and 4.11.x before 4.11.3 have a issue where the S4U MS-SFU Kerberos delegation model includes a feature that allows a subset of clients to be opt-out from constrained delegation in either S4U2Self or regular Kerberos authentication...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: nfsd: When trying to queue dlrecall, if the call to nfsd4runcb fails, the reference count of dlstid is not decremented. This leads to a memory leak as follows: Unreferenced object 0xffff88812067b578 size 344: Comm “nfsd”, pid 276...

Astra Linux - уязвимость в freeipa

A vulnerability was discovered in FreeIPA regarding the initial implementation of MS-SFU by MIT Kerberos. This implementation lacked a condition for granting the “forwardable” flag on S4U2Self tickets. To fix this issue, a special case had to be added to the checkallowedtodelegate function: If th...

Astra Linux - уязвимость в unbound

NLnet Labs Unbound, including version 1.16.1, is vulnerable to a new type of “ghost domain name” attack. The vulnerability operates by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain,...

Astra Linux - уязвимость в unbound

A vulnerability called “Non-Responsive Delegation Attack” NRDelegation Attack has been discovered in various DNS resolution software. The NRDelegation Attack operates by creating a malicious delegation with a significant number of non-responsive name servers. The attack begins by querying a...