Android Security Bulletin—May 2026Stay organized with collectionsSave and categorize content based on your preferences.

This Android Security Bulletin contains details of security vulnerabilities that affect Android devices. Security patch levels of 2026-05-01 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version. Within 48 hours afte...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: libbpf: Fixed an issue of accessing the BTF.ext corerelo header. Updated btfextparseinfo to ensure that the corerelo header is present before reading its fields. This prevents a potential buffer read overflow reported by the OSS...

Astra Linux – Vulnerability in qtbase-opensource-src

A issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. There is an incorrect HPack integer overflow check in network/access/http2/hpacktable.cpp...

MAL-2026-3294 Malicious code in ally-allowlist (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a086e259ec0972dac4c5fa5c2e204b09c2158df4e01326321b84676837b85be9 The package ally-allowlist was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @athena-portal/themes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9ceef23383971e2a8f5f8f790c03e71fe17b0a7fc7dee044e2fd39424ce20856 The package @athena-portal/themes was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in ally-antivirus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e5527c47f32b162abebfbbb8a15c8871ef050e5e0b07f8096b573cab2e6dfec The package ally-antivirus was found to contain malicious code. Source: ghsa-malware 094da0aa0245426ad224e9b2a072377a3c07bfc191bc3fab1d2060cdeaf79387...

[SECURITY] Fedora 43 Update: firefox-150.0-1.fc43

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability...

Lyussfyuring002

lyussfyuring002 web exploitation + OSINT toolkit for people...

NextChat 访问控制错误漏洞

NextChat is an open-source project developed by NextChat for quickly deploying private ChatGPT web applications. Versions of NextChat 2.16.1 and earlier contained a access control vulnerability, which was caused by improper cross-domain policies in unknown functions in Next.js files. This...

NextChat 安全漏洞

NextChat is an open-source project developed by NextChat for quickly deploying private ChatGPT web applications. Versions of NextChat 2.16.1 and earlier contained a security vulnerability. This vulnerability stemmed from the improper authorization in the addMcpServer function within the...

[SECURITY] Fedora 42 Update: chromium-147.0.7727.116-1.fc42

Chromium is an open-source web browser, powered by WebKit Blink...

SourceCodester Pharmacy Sales and Inventory System 注入漏洞

SourceCodester Pharmacy Sales and Inventory System is an open-source medication sales and inventory management system developed by SourceCodester. Version 1.0 of the SourceCodester Pharmacy Sales and Inventory System has a SQL injection vulnerability, which arises from incorrect handling of the...

Flipper Zero Firmware 安全漏洞

Flipper Zero Firmware is an open source firmware update and development tool for multifunctional devices from Flipper Devices. A security vulnerability exists in the Flipper Zero Firmware commit ad2a80 version, which originates from a stack overflow in the Main function...

UI UX Pro Max 注入漏洞

UI UX Pro Max is Next Level Builder open source a cross-platform UI/UX intelligent design system generation tool. UI UX Pro Max 2.5.0 and earlier versions of the injection vulnerability , the vulnerability stems from the Tailwind Config Generator component in the...

CVE-2026-42467

An issue was discovered in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe 2025-11-30 in SAEJ1939ReadBinaryDataTransferDM16 causing a denial of service via crafted CAN frame on the J1939 bus...

EUVD-2026-26695

An issue was discovered in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe 2025-11-30 in SAEJ1939ReadBinaryDataTransferDM16 causing a denial of service via crafted CAN frame on the J1939 bus...

CVE-2026-37537

collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 2023-03-08 contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8t index = data0 - 1. When data0 sequence number from CAN frame is 0, index underflows...

CVE-2026-37534

CVE-2026-37534 describes an integer underflow in Open-SAE-J1939 (Open-SAE-J1939_Read_Transport_Protocol_Data_Transfer) triggered by a crafted CAN frame sequence number, allowing an attacker to write to arbitrary memory. Affected component is SAE_J1939_Read_Transport_Protocol_Data_Transfer; root c...

MAL-2026-3313 Malicious code in service-gateway (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0624202d6a746245b4be59c683dc5b0ca64a43bc9524db9388f9f0a7be45d57 The package service-gateway was found to contain malicious code. Source: ghsa-malware 0e3831827037ebf97303c3c075e47b0e1ece3d2c6b38ca75aa2b3d1f7d0a2f0...

CVE-2026-35514

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...