google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

crypto/x509: Incorrect enforcement of email constraints in crypto/x509

A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly...

Important: Red Hat Security Advisory: rhc security update

An update for rhc is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for ea...

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

SuperWebmailer 7.21.0.01526 - Remote Code Execution

SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection. id: CVE-2020-11546 info: name: SuperWebmailer...

Important: expat security update

Expat is a C library for parsing XML documents. Security Fixes: libexpat: denial of service via crafted XML input CVE-2026-45186 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the...

SHIELDS: Automating OS Hardening with Iterative Multi-Agent Remediation

Security misconfigurations remain a leading cause of OS-level compromise, and manually keeping systems compliant with standards like Defense Information Systems Agency DISA Security Technical Implementation Guides STIGs is a tedious and expensive process. Existing compliance automation tools can...

ALSA-2026:22715 Important: expat security update

Expat is a C library for parsing XML documents. Security Fixes: libexpat: denial of service via crafted XML input CVE-2026-45186 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the...

Improper Output Neutralization for Logs

Overview std/net/textproto is a Go standard library package std/net/textproto Affected versions of this package are vulnerable to Improper Output Neutralization for Logs. Go Vulnerability Report: When returning errors, functions in the net/textproto package would include its input as part of the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

CVE-2026-10607

A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dedehtmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used...

CVE-2026-10607

The vulnerability CVE-2026-10607 affects DedeCMS 5.7.88. The issue resides in the function dede_htmlspecialchars in /plus/flink.php, where manipulation of the msg argument leads to an SQL injection. Attacks can be remote, and exploitation is publicly available. Impact is described as potentially ...

EUVD-2026-33981

A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argument msg can lead to sql injection. The attack can be launched remotely. The exploit has been public...

CVE-2026-10606 DedeCMS Feedback feedback.php TrimMsg sql injection

A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argument msg can lead to sql injection. The attack can be launched remotely. The exploit has been public...

CVE-2026-10263

A vulnerability was found in SourceCodester Computer Repair Shop Management System up to 1.0. Affected is an unknown function of the file /admin/products/manageproduct.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made...

EUVD-2026-33951

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section...

CVE-2026-35717

A stack-based buffer overflow in the exportlanguage.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via a crafted POST request to the /cgi-bin/admin/exportlanguage.cgi endpoint. The handler passes the...

EUVD-2026-33916

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...