CVE-2026-44939

An input validation flaw in Rancher Manager's import endpoint (/v3/import/{token}_{clusterId}.yaml) allows command injection via unsanitized YAML parameters in versions prior to 2.14.2. Impact: remote attackers could break out of the container image and execute arbitrary code inside containers. R...

Astra Linux – Vulnerability in Firefox

An attacker was able to insert an event handler into a privileged object, allowing arbitrary JavaScript execution in the parent process. Note: This vulnerability only affects Desktop Firefox; mobile versions of Firefox are not affected. This vulnerability applies to Firefox versions earlier than...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerabilities have been resolved: f2fs: fixed to avoid potential panic during recovery. During recovery, if FAULTBLOCK is enabled, it is possible that f2fsreservenewblock will return -ENOSPC during recovery, which may trigger a panic. Additionally, if the faul...

Astra Linux – Vulnerability in Zabbix

A low-privilege regular Zabbix user with API access can exploit the SQL injection vulnerability in the include/classes/api/CApiService.php file to execute arbitrary SQL commands using the groupBy parameter...

Astra Linux – Vulnerability in Netty

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder had a CRLF injection in the request URI during request construction. This led to request smuggling when HttpRequestEncoder w...

Astra Linux – Vulnerability in Intel Microcode

Unauthorized error injection in IntelR SGX or IntelR TDX for certain IntelR XeonR processors may allow a privileged user to potentially enable privilege escalation through local access...

Astra Linux – Vulnerability in OpenSSH

In SSH in OpenSSH before version 9.6, OS command injection could occur if a user name or host name contained shell metacharacters, and this name was referenced by an expansion token in certain situations. For example, a untrusted Git repository might contain a submodule with shell metacharacters ...

Astra Linux – Vulnerability in Apache Log4j1.2

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter, where the values to be inserted are converted using PatternLayout. The message converter %m is likely to always be included. This allows attackers to manipulate SQL statements by entering crafted...

Astra Linux – Vulnerability in Firefox

A transient execution vulnerability, named Floating Point Value Injection FPVI, allowed attackers to leak arbitrary memory addresses and may have also enabled JIT type confusion attacks. A related vulnerability, Speculative Code Store Bypass SCSB, did not affect Firefox. This vulnerability affect...

Astra Linux – Vulnerability in python-urllib3

In the urllib3 library, as of version 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameters...

Astra Linux – Vulnerability in dovecot

The submission service in Dovecot before 2.3.15 allowed for STARTTLS command injection in the lib-smtp library. Sensitive information could be redirected to an address controlled by the attacker...

Astra Linux – Vulnerability in Linux

A issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second or subsequent broadcast fragments even when sent in plaintext and process them as fully unfragmented frames. An adversary can exploit this vulnerability to inject arbitrary...

Astra Linux – Vulnerability in libimage-exiftool-perl

In ExifTool’s lib/Image/ExifTool.pm, version 12.38 incorrectly handles the $file = /|$/ check, resulting in command injection...

Astra Linux – Vulnerability found in Linux 5.15, Linux 5.10

In the Linux kernel versions 5.8 through 5.19.x, prior to 5.19.16, local attackers who were able to inject WLAN frames into the mac80211 stack could carry out a NULL pointer dereferencing denial-of-service attack against the beacon protection of P2P devices...

Astra Linux – Vulnerability in Zabbix

Zabbix allows for the configuration of SMS notifications. AT command injection occurs on the “Zabbix Server” because there is no validation of the “Number” field either on the web interface or on the Zabbix server side. An attacker can send specially crafted phone numbers via SMS and execute...

Astra Linux – Vulnerability in Apache2

Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...

Astra Linux – Vulnerability in libmodule-scandeps-perl

Qualys discovered that if unsanitized input was used with the Modules::ScanDeps library, before version 1.36, a local attacker could potentially execute arbitrary shell commands by opening a “pesky pipe” e.g., passing “commands|” as a filename or by passing arbitrary strings to the eval function...

Astra Linux – Vulnerability in Wireshark

A large loop exists in the Bluetooth DHT dissector in Wireshark versions 3.4.0 to 3.4.9, and 3.2.0 to 3.2.17, which allows for denial of service through packet injection or with crafted capture files...

Astra Linux – Vulnerability in python-tornado

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the provided “reason” phrase is used unescaped in HTTP headers where it could be used for header injection or in HTML on the default error page where it could be used for XSS attacks. This...

Astra Linux – Vulnerability found in Linux 5.15, Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: Regulator: Core – Fixed a resource leak in regulatorregister. I received some reports of resource leaks during fault injection tests: - ERROR: Memory leak; expected refcount 1 instead of 100. - ofnodeget/ofnodeput is unbalance...