CVE-2026-54232

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index flashinfer.ai/whl/ using --extra-index-url, but the...

CVE-2026-54232

vLLM prior to 0.22.1 is affected by a dependency confusion flaw in its Dockerfile. The vulnerability arises from installing flashinfer-jit-cache from a private index (flashinfer.ai/whl/) via --extra-index-url while the package name was not registered on PyPI and UV_INDEX_STRATEGY is set to unsafe...

dracut: dracut: Root code execution via DHCP options command injection

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP Dynamic Host Configuration Protocol options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and...

Important: Red Hat Security Advisory: dracut security update

An update for dracut is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

Important: Red Hat Security Advisory: dracut security update

An update for dracut is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

SUSE CVE-2026-6893

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP Dynamic Host Configuration Protocol options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and...

Important: dracut security update

The dracut packages contain an event-driven initial RAM file system initramfs generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition...

Updated libinput packages fix security vulnerability

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution...

CVE-2026-45556

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf///rule//save accepts a configfilename form field that is passed straight through to configmod.masterslaveuploadandrestart... as the destination path. The validation chai...

DEBIAN-CVE-2026-6893

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP Dynamic Host Configuration Protocol options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and...

UBUNTU-CVE-2026-6893

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP Dynamic Host Configuration Protocol options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and...

CVE-2026-6893

CVE-2026-6893 affects the dracut project, specifically the legacy DHCP path. A remote attacker on an adjacent network can trigger root code execution in the initramfs by sending specially crafted DHCP options (for example, a malicious hostname). The options are improperly handled and written into...

CVE-2026-10520

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution...

PT-2026-48436

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf///rule//save accepts a config file name form field that is passed straight through to config mod.master slave upload and restart... as the destination path. The validati...

PT-2026-48501

Name of the Vulnerable Software and Affected Versions picklescan versions prior to 1.0.4 UniFi OS Server affected versions not specified Description picklescan fails to block pkgutil.resolve name, which allows attackers to bypass the blocklist by resolving dangerous functions through indirect...

dracut project dracut 命令注入漏洞

Dracut is an event-driven initramfs generation tool developed by Dracutdevs. Dracut has a vulnerability related to operating system command injection. This vulnerability arises when remote attackers provide custom DHCP options, which are improperly processed and written into temporary shell...

PT-2026-48526

Name of the Vulnerable Software and Affected Versions dracut affected versions not specified Description A flaw in the legacy DHCP path allows a remote attacker on the adjacent network to achieve root code execution within the initramfs initial RAM file system, which is loaded with the kernel at...

CVE-2026-24064

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLDINSERTLIBRARIES...

CVE-2026-10520

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution...

SUSE CVE-2026-50292

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution...