EUVD-2026-17361

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI...

CVE-2026-0396

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI...

UBUNTU-CVE-2026-0396

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI...

CVE-2026-0396 HTML injection in the web dashboard

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI...

CVE-2026-0396 HTML injection in the web dashboard

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI...

CVE-2026-0396

CVE-2026-0396 : The vulnerability affects a DNSdist instance with domain-based dynamic rules enabled (DynBlockRulesGroup:setSuffixMatchRule or setSuffixMatchRuleFFI). An attacker can inject HTML content into the internal web dashboard by sending crafted DNS queries. The reports do not specify aff...

[SECURITY] Fedora 44 Update: bind-dyndb-ldap-11.11-13.fc44

This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server...

PT-2026-29401

Summary The SanitizeSVG function introduced in v3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5 parser records the element's tag as "x:script" rather than "script", so the tag check passes i...

An Empirical Comparison of Security and Privacy Characteristics of Android Messaging Apps

Mobile messaging apps are a fundamental communication infrastructure, used by billions of people every day to share information, including sensitive data. Security and Privacy are thus critical concerns for such applications. Although the cryptographic protocols prevalent in messaging apps are...

PT-2026-29282

Uncontrolled search path elements in Anthropic Claude for Windows installer Claude Setup.exe versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs e.g., profapi.dll from its own directory after UAC elevation, enabling arbitrary code...

GHSA-QHJ7-V7H7-Q4C7 Glances Vulnerable to Command Injection via Dynamic Configuration Values

Summary Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.getvalue and is implemented without validation or restriction of the executed commands. If an attacker can...

[SECURITY] Fedora 43 Update: bind-dyndb-ldap-11.11-11.fc43

This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server...

penclaw

🦀 PenClaw AI-powered penetration testing CLI. One command...

CVE-2026-33940

A flaw was found in Handlebars.js. A remote attacker can exploit this vulnerability by providing a specially crafted object within the template context. This crafted object, when processed by a dynamic partial lookup, can bypass security checks and be interpreted as malicious code. This allows th...

UBUNTU-CVE-2026-23399

In the Linux kernel, the following vulnerability has been resolved: nftables: nftdynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFPATOMIC fails, then the first stateful expression remains in place without being released....

SUSE CVE-2026-32301

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or...

SUSE CVE-2026-32940

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist - it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

Linux Distros Unpatched Vulnerability : CVE-2026-23399

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - nftables: nftdynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFPATOMIC fails, then t...

CVE-2026-33940

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the...

DEBIAN-CVE-2026-33940

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the...