Astra Linux - уязвимость в intel-microcode

Protection mechanism failure in some 3rd and 4th Generation IntelR XeonR Processors when using IntelR SGX or IntelR TDX may allow a privileged user to potentially enable escalation of privilege via local access...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

AlmaLinux 8 : fence-agents (ALSA-2026:12176)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:12176 advisory. cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves CVE-2026-26007 pyjwt: PyJWT accepts unknown crit header...

webkitgtk: A website may be able to track users through Safari web extensions

A flaw was found in WebKitGTK. A malicious website can track users through web extensions due to improper state management...

CVE-2026-39710

Cross-Site Request Forgery CSRF vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Cross Site Request Forgery.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.5...

webkitgtk: A website may be able to track users through Safari web extensions

A flaw was found in WebKitGTK. A malicious website can track users through web extensions due to improper state management...

Google Chrome 竞争条件问题漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 147.0.7727.138 contained a vulnerability related to competition conditions in the MHTML component. This vulnerability could allow attackers to trick users into installing malicious extensions, thereby...

82 Chrome Extensions Found Selling User Data, 6.5 Million Users Affected

LayerX research finds 82 Chrome extensions collecting and selling user data, affecting at least 6.5 million users through disclosed but concerning practices...

JLSEC-2026-276 Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads...

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker c...

RLSA-2026:10702 Important: webkit2gtk3 security update

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari...

webkit2gtk3 security update

An update is available for webkit2gtk3. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list WebKitGTK is the port of the portable web rendering engine WebKit to the...

Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 Malware

Cybersecurity researchers have flagged dozens of Microsoft Visual Studio Code VS Code extensions on the Open VSX repository that are linked to a persistent information-stealing campaign dubbed GlassWorm. The cluster of 73 extensions has been identified as cloned versions of their legitimate...

CLSA-2026-1777279578 java-11-openjdk: Fix of 6 CVEs

Upgrade to openjdk-11.0.30+7 GA. The following CVEs were fixed: - CVE-2026-21945: enhance certificate checking - CVE-2026-21932: enhance handling of URIs - CVE-2026-21933: improve HttpServer request handling - CVE-2026-21925: improve JMX connections - CVE-2025-64720: update libpng to 1.6.51 -...

webkitgtk: A website may be able to track users through Safari web extensions

A flaw was found in WebKitGTK. A malicious website can track users through web extensions due to improper state management...

RHEL 8 : webkit2gtk3 (RHSA-2026:10702)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:10702 advisory. WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: Processing maliciously...

OESA-2026-2074 llvm security update

LLVM is a compiler infrastructure designed for compile-time, link-time, runtime, and idle-time optimization of programs from arbitrary programming languages. Security Fixes: When using Arm Cortex-M Security Extensions CMSE, Secure stack contents can be leaked to Non-secure state via floating-poin...

OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution

The product custom option file upload in OpenMage LTS uses an incomplete blocklist "forbiddenextensions = php,exe" to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as ".phtml", ".phar", ".php3", ".php4", ".php5",...

[SECURITY] Fedora 44 Update: pie-1.4.1-1.fc44

PIE PHP Installer for Extensions. PIE can install an extension to any installed PHP version. A list of extensions that support PIE can be found on https://packagist.org/extensions. Documentation: /usr/share/doc/pie/docs/usage.md...

CVE-2026-31561

In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Remove X86CR4FRED from the CR4 pinned bits mask Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine...

CVE-2026-31561 x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask

In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Remove X86CR4FRED from the CR4 pinned bits mask Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine...