Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: media: nuvoton: A error check in npcmvideoeceinit has been fixed. When the functionoffinddevicebynode fails, it returns NULL instead of an error code. Therefore, the corresponding error check logic should be modified to check...

EUVD-2026-24903

In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFSROOTORPHANCLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Ja...

GHSA-VVXM-VXMR-624H Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`

Summary An unsanitised filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including the server's absolute DATADIR path — is returned verbatim in the HTTP 400 response body, confirming information...

io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response...

io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files

A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response...

EUVD-2025-205222

In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by imafilterrulematch In imamatchrules, if imafilterrulematch returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if !rc' check and sets 'result = true'. The LSM rule is...

SUSE CVE-2023-53845

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix infinite loop in nilfsmdtgetblock If the disk image that nilfs2 mounts is corrupted and a virtual block address obtained by block lookup for a metadata file is invalid, nilfsbmaplookupatlevel may return the same...

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-990883)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-990883 advisory. In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported acpievaluateobject may retu...

CVE-2025-62397 Moodle: router produces json instead of 404 error for invalid course id

The router’s inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance...

CVE-2025-29157

An issue in petstore v.1.0.7 allows a remote attacker to execute arbitrary code via accessing a non-existent endpoint/cart, the server returns a 404-error page exposing sensitive information including the Servlet name default and server version...

CVE-2025-29157

CVE-2025-29157 concerns the Swagger Petstore sample (version 1.0.7). The issue occurs when an attacker accesses a non-existent endpoint like /cart, causing the server to return a 404 error page that reveals sensitive information, including the servlet name (default) and server version. The descri...

GHSA-W765-JM6W-4HHJ Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting XSS vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL derived from the original request target is directly embedded into an inline block without sanitization or escaping. This allows an attacker to craft ...

Cross-site Scripting (XSS)

Overview @webrecorder/wabac is a service worker based web archive replay Affected versions of this package are vulnerable to Cross-site Scripting XSS via the 404 error handling process. An attacker can execute arbitrary JavaScript in the victim's browser by crafting a malicious URL that injects...

CVE-2020-11663

CA API Developer Portal 4.3.1 and earlier handles 404 requests in an insecure manner, which allows attackers to perform open redirect attacks...

SUSE CVE-2025-30474

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception messag...

AZL-53967 CVE-2024-53060 affecting package kernel for versions less than 6.6.64.2-1

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported acpievaluateobject may return AENOTFOUND failure, which would result in dereferencing buffer.pointer obj while being NULL. Although this case may be unrealisti...

CVE-2024-53060 drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported acpievaluateobject may return AENOTFOUND failure, which would result in dereferencing buffer.pointer obj while being NULL. Although this case may be unrealisti...

UBUNTU-CVE-2024-6162

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processe...

Unable to create New Machine Catalogs or New virtual machines in existing Machine Catalogs

Issue : Unable to create New Machine Catalogs or New virtual machines in existing Machine Catalogs. Error : Failed to create virtual machine 'VM', account name was not found. Description: Unable to add new machines in existing machine catalogs. Unable to create new machine catalogs. Unable to...

Azure VDAs are shown as "power state: unknown" in Studio

Power state in Studio toggles between "unknown" and "on" or "off" for VMs hosted in Azure. You may find the below entries in the hosting connection test or in the CDF traces Error: Invalid connection settings. System.IO.FileNotFoundException: Could not load file or assembly 'System.Net.Http,...