[SECURITY] Fedora 44 Update: rrdtool-1.9.0-11.fc44

RRD is the Acronym for Round Robin Database. RRD is a system to store and display time-series data i.e. network bandwidth, machine-room temperature, server load average. It stores the data in a very compact way that will not expand over time, and it presents useful graphs by processing the data t...

PT-2026-44553

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/block id/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in t...

PT-2026-44266

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 7.0.11-1.1 Description In the ASoC qcom q6apm-lpass-dai component, the prepare function can be called multiple times, leading to multiple graph opens for the playback path. This behavior results in memory leaks...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the DAG-CBOR and DAG-JSON decoders. An attacker can cause a fatal stack overflow by submitting payloads with deeply nested collections. Remediation Upgrade github.com/ipld/go-ipld-prime/codec/dagjson to...

CVE-2026-42328

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

CVE-2026-42328

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

[SECURITY] Fedora 42 Update: rrdtool-1.9.0-8.fc42

RRD is the Acronym for Round Robin Database. RRD is a system to store and display time-series data i.e. network bandwidth, machine-room temperature, server load average. It stores the data in a very compact way that will not expand over time, and it presents useful graphs by processing the data t...

CVE-2026-44830

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

CVE-2026-44830 Empty API_TOKEN disables authentication on network-reachable HTTP/SSE transport

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

EUVD-2026-32520

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

GHSA-9RFG-V8G9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

Incorrect Behavior Order: Validate Before Canonicalize

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through manipulation of JSON-LD document structure using keywords such as @graph, @included, and @reverse. An attacker can alter...

Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

CVE-2026-44730

OpenCTI (open-source platform for threat intel) has a privilege-escalation vulnerability affecting the GraphQL API prior to version 6.9.7. An organization admin can elevate privileges by adding a user from a different organization with higher privileges to their own organization due to an incorre...

CVE-2026-44730 OpenCTI: Privilege escalation via graphQL API abusable by organization admins, due to incorrect ACL on userEdit relationAdd

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL o...

PT-2026-43443

Name of the Vulnerable Software and Affected Versions Fedify versions prior to 1.9.11 Fedify versions prior to 1.10.10 Fedify versions prior to 2.0.18 Fedify versions prior to 2.1.14 Fedify versions prior to 2.2.3 Description An attacker can utilize JSON-LD features to restructure a JSON-LD...

Disentangling Adversarial Prompts: A Semantic-Graph Defense for Robust LLM Security

Large Language Models LLMs are increasingly vulnerable to adversarial prompts that exploit semantic ambiguities to bypass safety mechanisms, resulting in harmful or inappropriate outputs. Such attacks, including jailbreaking and prompt injection, pose significant risks to the integrity and...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query. An attacker can access sensitive information, including model names, version descriptions, source URIs, tags, and other...

CVE-2026-2734

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

CVE-2026-2734

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...