30624 matches found
CVE-2026-34354
Akamai Guardicore Platform Agent GPA and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the...
Linux Distros Unpatched Vulnerability : CVE-2026-43406
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libceph: prevent potential out-of-bounds reads in processmessageheader If the message frame is maliciously corrupted in a way that the length of the control...
GHSA-G49P-4QXJ-88V3 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution
Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path...
Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution
Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path...
Active Debug Code
Overview Affected versions of this package are vulnerable to Active Debug Code via the Installer process. An attacker can access sensitive server configuration, environment variables, filesystem paths, and loaded PHP extensions by sending an unauthenticated GET request with the phpinfo parameter...
Arbitrary File Upload
Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the Plugins::add process. An attacker can execute arbitrary code, overwrite sensitive files, and gain full control of the server by uploading a specially crafted ZIP archive containing file paths with directory...
CVE-2026-26956
A flaw was found in vm2, an open-source sandbox for Node.js. An attacker can exploit this vulnerability by running malicious code within the VM.run function, allowing them to escape the sandbox and gain access to the host process. This can lead to arbitrary code execution on the host system,...
golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS
A flaw in golang.org/x/crypto/ssh/agent causes the SSH agent client to panic when a peer responds with the generic SSHAGENTSUCCESS 0x06 message to requests expecting typed replies e.g., List, Sign. The unmarshal layer produces an unexpected message type, which the client code does not handle,...
Security update for webkit2gtk3
This update for webkit2gtk3 fixes the following issues: Update to version 2.52.1. Security issues fixed: CVE-2026-20643: processing maliciously crafted web content may bypass Same Origin Policy bsc1261172. CVE-2026-20664: processing maliciously crafted web content may lead to an unexpected proces...
throttlestop-poc
throttlestop-poc This is a simple Proof-of-Concept that abuses...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
A flaw was found in WebKitGTK. Processing malicious web content can cause a use-after-free issue due to improper memory management and result in an unexpected process crash...
webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
A flaw was found in WebKitGTK. Processing malicious web content can cause a use-after-free issue due to improper memory management and result in an unexpected process crash...
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
Summary A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10.2 only sanitized the onRejected callback in .then and...
Arbitrary Code Injection
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then...