CVE-2026-23953

Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration e.g a member of the ‘incus’ group can create an environment variable containing newlines, which can be used to add additional...

CVE-2026-23953 Incus container environment configuration newline injection

Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration e.g a member of the ‘incus’ group can create an environment variable containing newlines, which can be used to add additional...

CLSA-2026-1769099972 httpd: Fix of 2 CVEs

CVE-2025-65082: fix CGI environment variable injection by preventing HTTP headers from overriding server-set variables and added regression tests - CVE-2025-66200: prevent suexec bypass by removing request notes usage and rejecting the undocumented RequestHeader note option...

Azure Linux 3.0 Security Update: mtr (CVE-2025-49809)

The version of mtr installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-49809 advisory. - mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTRPACKET...

GNU InetUtils Telnetd Remote Authentication Bypass Vulnerability

GNU InetUtils telnetd is a telnet service daemon in the GNU InetUtils suite that listens on TCP port 23 and provides clients with plaintext terminal access based on the Telnet protocol. A remote authentication bypass vulnerability exists in GNU InetUtils Telnetd, which can be exploited to bypass...

VulnCheck KEV: CVE-2026-24061

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable...

Azure Linux 3.0 Security Update: postgresql (CVE-2024-10979)

The version of postgresql installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-10979 advisory. - Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to...

Debian dsa-6106 : inetutils - security update

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6106 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6106-1 [email protected] https://www.debian.org/security/...

CVE-2026-0622

Open 5GS WebUI uses a hard-coded JWT signing key change-me whenever the environment variable JWTSECRETKEY is unset...

Vulnerability fixed in GNU Inetutils telnetd

Security researchers have found a a vulnerability in Inetutils telnetd version 2.7. This vulnerability has been present since version 1.9.3 that came out in 2015, according to the researchers. The vulnerability is in the way the telnetd service handles the USER environment variable. By setting th...

gnu_telnetd_auth_bypass

GNU telnetd Authentication Bypass Vulnerability PoC Vulnerabili...

CVE-2026-24061

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable...

CVE-2026-24061

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable...

CVE-2026-0622

Open 5GS WebUI uses a hard-coded JWT signing key change-me whenever the environment variable JWTSECRETKEY is unset...

CVE-2026-0622

Open5GS WebUI is affected by CVE-2026-0622: by default it uses hard-coded JWT signing keys (the string change-me) when JWT_SECRET_KEY is unset, allowing an unauthenticated network attacker to forge JWTs and gain access to protected WebUI endpoints (notably under /api/db/*). The issue arises from ...

CVE-2026-0622 Open 5GS WebUI uses a hard-coded JWT signing key

Open 5GS WebUI uses a hard-coded JWT signing key change-me whenever the environment variable JWTSECRETKEY is unset...

MiracleLinux 8 : php:8.2 (AXSA:2024-9505:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-9505:01 advisory. php: host/secure cookie bypass due to partial CVE-2022-31629 fix CVE-2024-2756 php: passwordverify can erroneously return true, opening ATO risk...

PT-2026-3645

Name of the Vulnerable Software and Affected Versions Open 5GS WebUI affected versions not specified Description The software utilizes a hard-coded JWT signing key 'change-me' if the JWT SECRET KEY environment variable is not set. This can allow attackers to forge JWTs and potentially gain...

PT-2026-3756

Name of the Vulnerable Software and Affected Versions GNU Inetutils versions 1.9.3 through 2.7 Description GNU Inetutils telnetd is vulnerable to a remote authentication bypass. An attacker can exploit this flaw by manipulating the USER environment variable, specifically by setting it to "-f root...

openSUSE 16 Security Update : gimp (openSUSE-SU-2026:20055-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20055-1 advisory. Changes in gimp: Update to 3.0.6: - Security: - During development, we received reports from the Zero Day Initiative of potential security issue...