Astra Linux - уязвимость в linux-5.10, linux

In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Fixed the issue of locking the global state without backoff. We need to acquire the lock after the early return in the !hwpipe case. Otherwise, we might encounter contention but still return 0. This fix addresses an...

Astra Linux - уязвимость в linux-5.10, linux-5.15, linux

In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Return error code in mdp5mixerrelease when deadlock is detected There is a possibility for mdp5getglobalstate to return -EDEADLK when acquiring the modeset lock, but currently globalstate in mdp5mixerrelease doesn't...

Astra Linux - уязвимость в linux-5.10, linux-5.15, linux

In the Linux kernel, the following vulnerabilities have been resolved: drm/msm/mdp5: The return error code in mdp5piperelease occurs when a deadlock is detected. mdp5getglobalstate runs the risk of encountering an -EDEADLK error when acquiring the modeset lock. Currently, mdp5piperelease does not...

CVE-2026-40594 pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...

CVE-2026-40594 pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...

CVE-2026-40594

CVE-2026-40594 affects pyLoad: the set_session_cookie_secure before_request in pyload/webui/app/init .py reads X-Forwarded-Proto without origin validation and mutates the global Flask SESSION_COOKIE_SECURE on every request. With Cheroot’s multi-threaded server (request_queue_size=512), this creat...

GHSA-MP82-FMJ6-F22V pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

Summary The setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSIONCOOKIESECURE on every request...

pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

Summary The setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSIONCOOKIESECURE on every request...

Cross-site Scripting (XSS)

Overview dtale is a Web Client for Visualizing Pandas Objects Affected versions of this package are vulnerable to Cross-site Scripting XSS through the DtaleRedis.get and shelf storage code in dtale/globalstate.py. An attacker can run arbitrary code on the server by supplying a crafted pickle...

GHSA-82FW-CH24-J34W Lollms has an Improper Access Control vulnerability

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

CVE-2026-1117

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

CVE-2026-1117

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

CVE-2026-1117

The CVE-2026-1117 entry describes a vulnerability in parisneo/lollms (version 5.9.0) where the lollms_generation_events.py component registers Socket.IO events (generate_text, cancel_generation, generate_msg, generate_msg_from) without authentication/authorization checks. This allows unauthentica...

CVE-2026-1117 Improper Access Control in parisneo/lollms

A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-004839)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004839 advisory. In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Fix global state lock backoff We need to grab the lock after the early return for...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993112)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993112 advisory. In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Fix global state lock backoff We need to grab the lock after the early return for...

Astra Linux - уязвимость в linux-6.12

In the Linux kernel, the following vulnerability has been resolved: xfrm: Duplicate SPI Handling The issue originates when Strongswan initiates an XFRMMSGALLOCSPI Netlink message, which triggers the kernel function xfrmallocspi. This function is expected to ensure uniqueness of the Security...

EUVD-2022-55438

Malicious code in bioql PyPI...

EUVD-2023-44451

Malicious code in bioql PyPI...

Angular 竞争条件问题漏洞

Angular is a development platform of Angular open source. It is used to build mobile and desktop web applications using Typescript / JavaScript and other languages. Angular suffers from a Competing Conditions Issue vulnerability that stems from the possibility that DI containers may share or...