Rand is unsound with a custom logger using rand::rng()

It has been reported by @lopopolo that the rand library is unsound i.e. that safe code using the public API can cause Undefined Behaviour when all the following conditions are met: - The log and threadrng features are enabled - A custom logger is defined - The custom logger accesses rand::rng...

PT-2026-32714

CVE-2026-0207 A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions. https://t.co/aX7fhIcRqI...

PT-2026-34189

Name of the Vulnerable Software and Affected Versions Oxia versions prior to 0.16.2 Description When OIDC OpenID Connect, an identity layer on top of the OAuth 2.0 protocol authentication fails, the full bearer token is logged in plaintext at the DEBUG level. If debug logging is enabled in...

SUSE CVE-2026-31428

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinklog: fix uninitialized padding leak in NFULAPAYLOAD buildpacketmessage manually constructs the NFULAPAYLOAD netlink attribute using skbput and skbcopybits, bypassing the standard nlareserve/nlaput helpers. Whi...

SUSE CVE-2026-40228

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set...

EUVD-2025-209419

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

CVE-2026-40021

A flaw was found in Apache Log4net. An attacker who can influence specific data fields within log messages can exploit this vulnerability. By injecting characters forbidden by the XML 1.0 specification, the attacker can cause an exception during log serialization, leading to the silent loss of lo...

CVE-2025-69627

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

CVE-2026-34480

A flaw was found in Apache Log4j Core. The XmlLayout component, responsible for formatting log messages into XML, does not properly remove or replace characters that are not allowed in XML 1.0. When log messages or diagnostic information contain these forbidden characters, the resulting XML outpu...

CVE-2025-66236 Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though...

Bluetooth-app

Bluetooth Security Testing App A Kivy-based Android applicati...

CVE-2026-31789

A flaw was found in OpenSSL. This vulnerability, a heap buffer overflow, affects 32-bit systems when processing an unusually large X.509 certificate. If an application or service attempts to print or log such a specially crafted certificate, it could lead to a system crash or potentially allow an...

CVE-2025-69627

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

patchbot

patchbot patchbot is an AI-assisted security reviewer for p...

Improper Output Handling

Apache Log4j Core is vulnerable to Improper Output Handling. The vulnerability is due to XmlLayout failing to sanitize characters forbidden by the XML 1.0 specification, allowing log messages or MDC values to produce malformed XML or trigger exceptions during logging, which can lead to dropped or...

ai.catboost:catboost-spark_4.0_2.13 (=1.2.10), ai.catboost:catboost-spark_4.1_2.13 (=1.2.10) +7252 more potentially affected by CVE-2026-34478 via org.apache.logging.log4j:log4j-core (>=2.21.0 <=2.25.3)

org.apache.logging.log4j:log4j-core MAVEN version =2.21.0, =0.27.0, =0.26.0, =3.10.0.5, =3.0.0, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.3 and more Source cves: CVE-2026-34478 Source advisory: OSV:GHSA-445C-VH5M-36RJ...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XMLLayout component. An attacker can cause log records to be silently dropped or fail to be indexed by injecting XML 1.0 forbidden characters into logged data, which results in invalid XML...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output when JsonTemplateLayout logs a MapMessage. An attacker can cause downstream log processing systems to reject or fail to index affected records by supplying non-finite floating-point values such as...

ai.catboost:catboost-spark_4.0_2.13 (=1.2.10), ai.catboost:catboost-spark_4.1_2.13 (=1.2.10) +7252 more potentially affected by CVE-2026-34478 via org.apache.logging.log4j:log4j-core (>=2.21.0 <=2.25.3)

org.apache.logging.log4j:log4j-core MAVEN version =2.21.0, =0.27.0, =0.26.0, =3.10.0.5, =3.0.0, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.3 and more Source cves: CVE-2026-34478 Source advisory: SNYK:JAVA-ORGAPACHELOGGINGLOG4J-15967739...

UBUNTU-CVE-2026-34481

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values NaN, Infinity, or -Infinity, which are prohibited by RFC 8259. Th...