GitHub Enterprise Server 安全漏洞

GitHub Enterprise Server is an open-source application developed by GitHub in the United States. It provides a scalable and easy-to-manage platform by allowing users to set their GitHub instances as virtual devices. Prior to version 3.21 of GitHub Enterprise Server, there was a security...

Improper Authentication

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Improper Authentication in the async key resolver when it returns an empty string or zero-length buffer. An attacker can gain unauthorized access and assume arbitrary identities by forgin...

NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

NPM: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver vulnerability discovered by ? in WordPress Npm fast-jwt versions = 6.2.3...

GHSA-GMVF-9V4P-V8JC fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...

fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver

Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string '', for example via the common keysdecoded.header.ki...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the Address GraphQL resolver, which does not enforce schema scope filtering on top-level queries. An attacker can access sensitive address information belonging to...

Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure

Summary The GraphQL Address element resolver src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the...

PT-2026-38285

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0 through 4.17.11 Craft CMS versions 5.0.0 through 5.9.17 Description The GraphQL Address element resolver in src/gql/resolvers/elements/Address.php fails to perform schema scope filtering on top-level queries. While oth...

PT-2026-38307

Name of the Vulnerable Software and Affected Versions fast-jwt versions prior to 6.2.4 Description An authentication bypass exists in the asynchronous key-resolver flow. When an application's key resolver returns an empty string '' or a zero-length Buffer, the software converts this to a...

GHSA-MGGX-P7JF-JGW4 jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine

Summary Description An Improper Neutralization of Special Elements Used in a Template Engine CWE-1336 vulnerability in Jdbi allows arbitrary command execution when an application using jdbi3-freemarker permits attacker-influenced text to reach FreemarkerEngine.parse as template source. This affec...

PT-2026-37287

Name of the Vulnerable Software and Affected Versions External Secrets Operator versions prior to 2.4.0 Description Namespaced SecretStore resources using CAProvider with type ConfigMap could resolve CA material from a different namespace when the caProvider.namespace variable was set. This...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-24781 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-26332 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-26956 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

org.apache.opennlp:opennlp-cli (>=3.0.0-M1 <=3.0.0-M2), org.apache.opennlp:opennlp-distr (>=3.0.0-M1 <=3.0.0-M2) +6 more potentially affected by CVE-2026-40682 via org.apache.opennlp:opennlp-runtime (>=3.0.0-M1 <=3.0.0-M2)

org.apache.opennlp:opennlp-runtime MAVEN version =3.0.0-M1, =3.0.0-M1, =3.0.0-M1, =3.0.0-M1, =3.0.0-M1, =3.0.0-M1, =3.0.0-M1, =3.0.0-M2 Source cves: CVE-2026-40682 Source advisory: SNYK:JAVA-ORGAPACHEOPENNLP-16419378...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-24118 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

JLSEC-2026-408

A denial of service vulnerability exists in curl v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm and siglongjmp. When doi...

Astra Linux – Vulnerability in bind9

In BIND 9.3.0 - 9.11.35, 9.12.0 - 9.16.21, and versions 9.9.3-S1 - 9.11.35-S1 and 9.16.8-S1 - 9.16.21-S1 of the BIND Supported Preview Edition, as well as release version 9.17.0 - 9.17.18 of the BIND 9.17 development branch, exploiting broken authoritative servers using a flaw in response...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: net: phylink: Added a lock to serialize concurrent writes to pl-phydev using phylinkresolve. Currently, phylinkresolve protects itself against concurrent calls to phylinkbringupPhyio or phylinkdisconnectPhyio that modify pl-phyde...

Astra Linux – Vulnerability in bind9

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode the available memory to the point where named crashes occur due to lack of resources...