CVE-2026-6019

CVE-2026-6019 affects Python’s http.cookies.Morsel.js_output(), which can emit an inline sequence inside the generated script. Public sources indicate the fix is included in Python updates bundled in SUSE’s python39/python3 advisories (SUSE-SU-2026:1818-1) and OSV entries, with mitigation noting...

CVE-2026-6019

http.cookies.Morsel.jsoutput returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value...

GHSA-VX9M-XJWF-8CQM uutils coreutils has an Improper Handling of Unicode Encoding Issue

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes tostringlossy when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8...

uutils coreutils has an Improper Handling of Unicode Encoding Issue

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms e.g., ln SOURCE... DIRECTORY. While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation...

DRUPAL-CONTRIB-2026-033

This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using...

CVE-2026-35375 uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes tostringlossy when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8...

CVE-2026-35375 uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes tostringlossy when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8...

CVE-2026-35375

CVE-2026-35375 concerns the uutils coreutils split utility, where a logic error causes output filenames to be corrupted when given non-UTF-8 prefixes/suffixes. The code uses to_string_lossy() to build chunk filenames, which rewrites invalid bytes as the UTF-8 replacement character (U+FFFD). Unlik...

CVE-2026-35373 uutils coreutils ln Local Denial of Service via Improper Handling of Non-UTF-8 Filenames

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms e.g., ln SOURCE... DIRECTORY. While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation...

actix-http has HTTP/1.1 CL.TE Request Smuggling

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length. Severit...

GHSA-XHJ4-VRGC-HR34 actix-http has HTTP/1.1 CL.TE Request Smuggling

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length. Severit...

[SECURITY] Fedora 42 Update: python-cbor2-5.6.5-8.fc42

This library provides encoding and decoding for the Concise Binary Object Representation CBOR RFC 7049 serialization format...

CLSA-2026-1776855452 libsoup: Fix of 2 CVEs

CVE-2026-1801: use CRLF as line boundary when parsing chunked encoding data to prevent HTTP request smuggling via lone LF - CVE-2026-2443: reject Range header ends exceeding content length to prevent out-of-bounds read in byte range handling...

CLSA-2026-1776854729 libsoup: Fix of 2 CVEs

CVE-2026-1801: use CRLF as line boundary when parsing chunked encoding data to prevent HTTP request smuggling via lone LF - CVE-2026-2443: reject Range header ends exceeding content length to prevent out-of-bounds read in byte range handling...

[SECURITY] Fedora 43 Update: python-cbor2-5.6.5-8.fc43

This library provides encoding and decoding for the Concise Binary Object Representation CBOR RFC 7049 serialization format...

PT-2026-34625

Name of the Vulnerable Software and Affected Versions Obfuscate versions 0.0.0 through 2.0.1 Description Improper neutralization of input during web page generation allows Cross-Site Scripting XSS. The module, which obfuscates email addresses in content, fails to sufficiently sanitize user input...

PT-2026-34549

Name of the Vulnerable Software and Affected Versions Python affected versions not specified Description The js output function in http.cookies.Morsel returns an inline snippet that only escapes double quotes for JavaScript string context. It fails to neutralize the HTML parser-sensitive sequence...

actix-http has HTTP/1.1 CL.TE Request Smuggling

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length...

SUSE SLED15 / SLES15 Security Update : ImageMagick (SUSE-SU-2026:1497-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1497-1 advisory. - CVE-2026-24484: denial of service via multi-layer nested MVG to SVG conversion bsc1258790. - CVE-2026-28493:...

PT-2026-34509

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms e.g., ln SOURCE... DIRECTORY. While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation...