CVE-2026-41013

CVE-2026-41013 describes an input validation bypass in the SMB volume mount handling of CloudFoundry Foundation’s diego-release. The vulnerability allows a low-privileged CF space developer to inject arbitrary kernel CIFS mount options by bypassing the mount-option allowlist, enabling privilege e...

CVE-2026-45505 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as masterslave:vm://...,... and static:vm://... incorrectly pass validation allowing bypass o...

PT-2026-38372

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description Netty's DNS codec fails to enforce RFC 1035 domain name constraints during encoding and decoding, creating a bidirectional attack surface. In the encoder, t...

net-imap vulnerable to command Injection via "raw" arguments to multiple commands

Summary Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. Details Net::IMAP's...

Amazon Linux 2023 : python3.14, python3.14-devel, python3.14-freethreading (ALAS2023-2026-1617)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1617 advisory. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, a...

Improper Validation of Specified Type of Input

Overview fastify is an overhead web framework, for Node.js. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input via the schema.body.content when a space is prepended to the Content-Type header. An attacker can bypass input validation by sending...

SUSE CVE-2026-33948

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands

Summary basic-ftp's CRLF injection protection added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q is incomplete. Two code paths bypass the protectWhitespace control character check: 1 the login method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation,...

CVE-2026-32990

A flaw was found in Apache Tomcat. This improper input validation vulnerability stems from an incomplete fix for a previous security issue CVE-2025-66614. This flaw may allow an attacker to bypass security controls or cause unexpected behavior within the application. Mitigation Mitigation for thi...

CVE-2026-4631

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

CVE-2026-33406 Pi-hole has a Stored HTML attribute injection

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js,...

Amazon Linux 2 : python, --advisory ALAS2-2026-3218 (ALAS-2026-3218)

The version of python installed on the remote host is prior to 2.7.18-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3218 advisory. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |=...

CVE-2026-31996

OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for...

SUSE CVE-2026-30861

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. From version 0.2.5 to before version 0.2.10, an unauthenticated remote code execution RCE vulnerability exists in the MCP stdio configuration validation. The application allows unrestricted user...

CVE-2026-23920

The CVE describes a bypass of input validation for host and event action scripts where a regex (admin-set) is evaluated in multiline mode. If ^ and $ anchors are used in input validation, an injected newline can bypass the check and allow authenticated users to inject shell commands. The descript...

SUSE-SU-2026:20926-1 Security update for tomcat11

This update for tomcat11 fixes the following issues: Update to Tomcat 11.0.18: - CVE-2025-66614: client certificate verification bypass due to virtual host mapping bsc1258371. - CVE-2026-24733: improper input validation on HTTP/0.9 requests bsc1258385. - CVE-2026-24734: certificate revocation...

EUVD-2026-13031

OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for...

GHSA-GGM6-H3MX-CMMP Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4685-c5cp-vp95. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allow...

CVE-2026-31996

OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for...

CVE-2026-3644

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output validation applie...