GHSA-56CJ-WGG3-X943 Envoy affected by off-by-one write in JsonEscaper::escapeString()

Summary An off-by-one write in Envoy::JsonEscaper::escapeString can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. Details The bug is in the control-character...

GO-2026-4622 OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes in github.com/OliveTin/OliveTin

OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes in github.com/OliveTin/OliveTin...

DEBIAN-CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

Exploit for CVE-2026-27944

Nginx UI Discovery Scanner - CVE-2026-27944 Version Detector ht...

CVE-2026-25679 vulnerabilities

Vulnerabilities for packages: cluster-api-aws-controller-fips, spicedb, crane, kube-bench, gitlab-kas, nfpm, s5cmd-fips, kepler, yace-fips, rancher-security-scan, containerd-fips, livekit-cli, secrets-store-csi-driver-provider-gcp-fips, postgres-operator-fips, longhorn-share-manager,...

GHSA-J4J7-VW47-RHFQ vulnerabilities

Vulnerabilities for packages: cluster-api-aws-controller-fips, spicedb, gitlab-kas, kepler, livekit-cli, secrets-store-csi-driver-provider-gcp-fips, longhorn-share-manager, crossplane-function-go-templating, crossplane-function-go-templating-fips, gitlab-operator-fips, kyverno-policy-reporter-fip...

Devolutions Server <= 2025.3.15.0 Multiple Vulnerabilities (DEVO-2026-0005)

The version of Devolutions Server installed on the remote host is 2025.3.15.0 or earlier. It is, therefore, affected by multiple vulnerabilities: - Authentication bypass in the Microsoft Entra ID Azure AD authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated...

PT-2026-24378

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.34.13 Envoy versions prior to 1.35.8 Envoy versions prior to 1.36.5 Envoy versions prior to 1.37.1 Description Envoy is a high-performance edge/middle/service proxy. An off-by-one write in the...

PT-2026-24617

Summary An off-by-one write in Envoy::JsonEscaper::escapeString can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. Details The bug is in the control-character...

Linux Distros Unpatched Vulnerability : CVE-2026-29062

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - jackson-core contains core low-level incremental streaming parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before versio...

PT-2026-24433

Name of the Vulnerable Software and Affected Versions Sequelize versions prior to 6.37.8 Description Sequelize, a Node.js ORM tool, contains a SQL injection flaw due to unescaped cast type handling within JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys using ':...

Malicious code in json-merge-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f16e8d9c37feb30d5a44f7a94620c3a09d182a34cd5ccc1e7c97aaf4a991ab10 The package json-merge-tool was found to contain malicious code. Source: ghsa-malware 4bb041118bdac1123bd722a9b1f99ddb6ca406f7ce80d5de344b2c36614b89e...

Malicious Package

Overview json-merge-tool is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-1297 Malicious code in json-merge-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f16e8d9c37feb30d5a44f7a94620c3a09d182a34cd5ccc1e7c97aaf4a991ab10 The package json-merge-tool was found to contain malicious code. Source: ghsa-malware 4bb041118bdac1123bd722a9b1f99ddb6ca406f7ce80d5de344b2c36614b89e...

EUVD-2025-208452

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

EUVD-2025-208453

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

CVE-2025-15603

A security vulnerability has been detected in open-webui up to 0.6.16. Affected is an unknown function of the file backend/startwindows.bat of the component JWT Key Handler. Such manipulation of the argument WEBUISECRETKEY leads to insufficiently random values. It is possible to launch the attack...

EUVD-2026-10172

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters...

GHSA-X6FW-778M-WR9V Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Impact The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set clientId for Google/Apple, appIds for Facebook, JWT verification silently skips audience claim validation. This allows an...