[SECURITY] Fedora 42 Update: uv-0.10.12-1.fc42

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

Roundcube -- SVG Attribute Bypass

The Roundcube project reports:...

CVE-2026-33739

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages Host, Storage, Group, Image, Printer, Snapin are vulnerable to Stored Cross-Site Scripting XSS, due to insufficient server-side parameter...

CVE-2026-5013

A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used...

CVE-2026-5007

Affects kazuph mcp-docs-rag up to 0.5.0. The vulnerable component is the cloneRepository function in src/index.ts (add_git_repository/add_text_file). The issue is OS command injection, exploitable locally. An exploit is publicly available, and the project was informed via an issue report but has ...

Remote Code Execution (RCE)

ruby-lsp is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsanitized interpolation of the rubyLsp.branch setting into a generated Gemfile, which allows an attacker to inject malicious code that executes when a user opens a crafted project...

SUSE CVE-2026-33312

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...

SUSE CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

SUSE CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

SUSE CVE-2026-33700

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...

[SECURITY] Fedora 44 Update: uv-0.11.2-1.fc44

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

CVE-2026-33993

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...

CVE-2026-33739

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages Host, Storage, Group, Image, Printer, Snapin are vulnerable to Stored Cross-Site Scripting XSS, due to insufficient server-side parameter...

CVE-2026-33739 FOG has Stored XSS in Multiple Management Pages

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages Host, Storage, Group, Image, Printer, Snapin are vulnerable to Stored Cross-Site Scripting XSS, due to insufficient server-side parameter...

GHSA-X744-4WPC-V9H2 Moby has AuthZ plugin bypass when provided oversized request bodies

Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affecte...

Unsafe Dependency Resolution

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the process of loading sub-components with the trustremotecode parameter set to True, regardless of user...

FOG 跨站脚本漏洞

FOG is an open-source computer cloning and management system developed by the FOG Project. Versions of FOG prior to 1.5.10.1812 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient server-side parameter cleaning and the lack of HTML escaping in list tables,...

elixir-nodejs 竞争条件问题漏洞

Elixir-nodejs is an open-source project by Revelry that serves as an Elixir API for calling Node.js functions. Versions of elixir-nodejs prior to 3.1.4 contained a race condition vulnerability. This vulnerability stemmed from race conditions in the working protocol, which led to the loss of...

GO-2026-4855 Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If thi...

GO-2026-4853 Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...