SUSE CVE-2026-23520

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane's updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to r...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005089)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005089 advisory. In the Linux kernel, the following vulnerability has been resolved: selinux,smack: don't bypass permissions check in inodesetsecctx hook Marek Gresko reports that th...

ALPINE-CVE-2025-9820

A flaw was found in the GnuTLS library, specifically in the gnutlspkcs11tokeninit function that handles PKCS11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the applicatio...

GO-2026-4320 Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE in github.com/getarcaneapp/arcane/backend

Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE in github.com/getarcaneapp/arcane/backend...

Cross-site Scripting (XSS)

Overview solspace/craft-freeform is a flexible and user-friendly form building plugin! Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the use of the dangerouslySetInnerHTML function in various client and plugin page components. An attacker can execute arbitrar...

Azure Linux 3.0 Security Update: dhcp (CVE-2022-2929)

The version of dhcp installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-2929 advisory. - In ISC DHCP 1.0 - 4.4.3, ISC DHCP 4.1-ESV-R1 - 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DH...

Azure Linux 3.0 Security Update: kernel (CVE-2025-38072)

"The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-38072 advisory. - In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in...

CVE-2026-23516 CVAT vulnerable to XSS via skeleton SVG images

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or...

CVE-2026-23516

CVAT (open-source annotation tool) is affected in versions 2.2.0–2.54.0 by an XSS-like vulnerability that lets an attacker execute arbitrary JavaScript in a victim user’s CVAT UI session. The attack requires the attacker to create a malicious label or an SVG in a skeleton configuration and coerce...

CVE-2026-23516

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or...

PT-2026-3868

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or...

OPENSUSE-SU-2026:20060-1 Security update for cargo-c

This update for cargo-c fixes the following issues: - CVE-2025-4574: crossbeam-channel: Fixed double-free on drop in Channel::discardallmessages bsc1243179 - CVE-2025-58160: tracing-subscriber: Fixed log pollution bsc1249012 - CVE-2024-12224: idna: Fixed improper validation of Punycode labels...

SUSE-SU-2026:20096-1 Security update for cargo-c

This update for cargo-c fixes the following issues: - CVE-2025-4574: crossbeam-channel: Fixed double-free on drop in Channel::discardallmessages bsc1243179 - CVE-2025-58160: tracing-subscriber: Fixed log pollution bsc1249012 - CVE-2024-12224: idna: Fixed improper validation of Punycode labels...

MiracleLinux 3 : mcstrans-0.2.7-1AXS3 (AXBA:2008-181:01)

The remote MiracleLinux 3 host has a package installed that is affected by a vulnerability as referenced in the AXBA:2008-181:01 advisory. - Algorithmic complexity vulnerability in the MCS translation daemon in mcstrans 0.2.3 allows local users to cause a denial of service temporary daemon outage...

MiracleLinux 3 : mcstrans-0.2.7-1AXS3 (AXBA:2008-372:02)

The remote MiracleLinux 3 host has a package installed that is affected by a vulnerability as referenced in the AXBA:2008-372:02 advisory. - Algorithmic complexity vulnerability in the MCS translation daemon in mcstrans 0.2.3 allows local users to cause a denial of service temporary daemon outage...

CVE-2026-23520

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to r...

CVE-2026-23520

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to r...

GHSA-GJQQ-6R35-W3R8 Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE

Summary Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitizati...

Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE

Summary Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitizati...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the updater service which supported lifecycle labels. An attacker can execute arbitrary commands by supplying a crafted value to the lifecycle label, which is then passed unsanitized to the shell for execution when...