CVE-2025-69783

OpenEDR 2.5.1.0 self-defense can be bypassed by renaming a malicious executable to a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe), enabling interaction with the OpenEDR kernel driver and granting access to privileged configuration, process monitoring, and IOCTL functionality. Th...

PT-2026-25844

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2 Description Glances, a system cross-platform monitoring tool, has an issue where the web server runs without authentication by default when started with glances -w. This exposes a REST API containing sensitive...

GHSA-V9P9-HFJ2-HCW8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

Impact The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression....

EUVD-2026-11704

Undici has Unhandled Exception in WebSocket Client Due to Invalid servermaxwindowbits Validation...

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process

Summary A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's...

GHSA-4C96-W8V2-P28J Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process

Summary A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's...

EUVD-2026-11694

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:childprocess...

CVE-2026-31886 Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves...

SUSE CVE-2026-32260

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand...

Microsoft Windows Image File Execution Options (IFEO) Persistence

This PHP script leverages legitimate Windows debugging features to establish persistent remote access. This technique leverages the Image File Execution Options IFEO registry keys to configure a monitor process that automatically executes when a specified target process exits. Windows allows...

AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

AutoMapper is vulnerable to a Denial of Service DoS attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memor...

Linux Distros Unpatched Vulnerability : CVE-2026-4016

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svginprocess of the file src/filters/loadsvg.c of t...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the KJ-HTTP process. An attacker can cause the system to interpret a negative Content-Length value as an extremely large unsigned value by sending specially crafted HTTP requests or responses, potentially...

Uncaught Exception

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Uncaught Exception through improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. An attacker can cause the process...

runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects

A flaw was found in runc. This attack is a more sophisticated variant of CVE-2019-16884, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process...

CVE-2026-2229

The CVE affects the undici WebSocket client. It arises from improper validation of the server_max_window_bits parameter in the permessage-deflate extension: isValidClientWindowBits() only checks ASCII digits and not the 8–15 range, and createInflateRaw() is not wrapped in a try-catch. A malicious...

CVE-2026-2229 undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

Uncaught Exception

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Uncaught Exception in the ByteParser when handling a specially crafted WebSocket frame with an extremely large 64-bit length. An attacker can cause the process to termina...

CVE-2026-32260

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand...

CVE-2026-32260

Summary: CVE-2026-32260 affects Deno’s node:child_process polyfill (shell: true mode). From 2.7.0 to 2.7.1, a two-stage argument sanitization in transformDenoShellCommand contains a priority bug: when an argument includes a $VAR pattern, it is wrapped in double quotes instead of single quotes. Th...