CVE-2026-25087

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file but not an IPC stream with pre-buffering enabled, if the IPC file contains data with variadic buffers such as Binary View and String...

CVE-2026-2544

A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function childprocess.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond...

nodejs: Nodejs denial of service

A stack overflow flaw has been discovered in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications tha...

nodejs: Nodejs uninitialized memory exposure

A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other...

PT-2026-20319

Name of the Vulnerable Software and Affected Versions Apache Arrow C++ versions 15.0.0 through 23.0.0 Description A use-after-free issue exists in Apache Arrow C++ when reading an Arrow IPC file with pre-buffering enabled, if the file contains data with variadic buffers like Binary View and Strin...

CVE-2025-15578

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time which is available from HTTP response headers, a call to the built-in rand function, and the PID...

CVE-2025-15578 Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time which is available from HTTP response headers, a call to the built-in rand function, and the PID...

CVE-2025-15578 Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time which is available from HTTP response headers, a call to the built-in rand function, and the PID...

CVE-2025-32453

Incorrect default permissions for some IntelR Graphics Driver software within Ring 2: Privileged Process may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may...

EUVD-2026-6119

A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function childprocess.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond...

CVE-2026-2544

A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function childprocess.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond...

CVE-2026-2544

CVE-2026-2544 affects yued-fe LuLu UI up to version 3.0.0. The vulnerability lies in the run.js file’s use of child_process.exec, enabling os command injection via remote attack. Multiple sources confirm the issue and remote exploitability, with vendor contact noted but no response. CVSS scores i...

CVE-2026-2544 yued-fe LuLu UI run.js child_process.exec os command injection

A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function childprocess.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond...

CVE-2026-2544 yued-fe LuLu UI run.js child_process.exec os command injection

A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function childprocess.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond...

LuLu UI 操作系统命令注入漏洞

LuLu UI is a native UI component library developed by yued-fe. Versions of LuLu UI 3.0.0 and earlier had a vulnerability related to operating system command injection. This vulnerability stemmed from the childprocess.exec function in the run.js file, which allowed for command injection via os...

OSV-2026-244 Use-of-uninitialized-value in ihevcd_fmt_conv

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=484466027 Crash type: Use-of-uninitialized-value Crash state: ihevcdfmtconv ihevcdprocessthread...

CVE-2026-23210

In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer dereference during VSI rebuild Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi-rxrings. The sequence was: 1. iceptpprepareforreset cancels PTP work 2...

CVE-2026-2144

The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename QRCode.png in the publicly accessible WordPress uploads...

CVE-2025-46303

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. A malicious HID device may cause an unexpected process crash...

CVE-2025-67433

A heap buffer overflow in the processRequest function of Open TFTP Server MultiThreaded v1.7 allows attackers to cause a Denial of Service DoS via a crafted DATA packet...