CVE-2026-48156 pypdf: Possible long runtimes for zero-only width values in cross-reference streams

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W 0 0 0 values and large /Size values. This vulnerability is fixed in 6.12.0...

ai.looktech.ltrpc.schema:app-server (>=1.0.2 <=2.5.0), ai.looktech.ltrpc.schema:bt-app (=1.0.1) +488 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (>=1.0.0 <=6.2.0)

com.squareup.wire:wire-runtime MAVEN version =1.0.0, =1.0.2, =1.0.2, =0.0.1, =0.0.2, =0.1.1, =0.2.7, =0.2.7, =0.2.7, =0.1.1, =0.2.7, =0.7.21, =0.7.21, =0.7.21, =0.7.24 and more Source cves: CVE-2026-45799 Source advisory: OSV:GHSA-7XPR-HC2W-34M9...

Svelte: ReDoS in `<svelte:element>` Tag Validation

An internal regex in the Svelte runtime can take exponential time to test in . You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe...

RHCOS 4 : OpenShift Container Platform 4.14.29 (RHSA-2024:3700)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:3700 advisory. - cri-o: malicious container can create symlink on host CVE-2024-5154 Note that Nessus has not tested for this issue but has instead relied...

PT-2026-34613

Name of the Vulnerable Software and Affected Versions Nuclei versions 3.0.0 through 3.7.9 Description A flaw in the JavaScript protocol runtime's module loading system allows JavaScript templates to read local .js and .json files from the host filesystem. This occurs because the require function...

CVE-2026-27143

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption...

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which stems from the lack of operation interface conversion, allowing the compiler to incorrectly...

@fedify/botkit (>=0.4.0-dev.182 <=0.4.0-dev.183), @fedify/botkit-sqlite (>=0.4.0-dev.182 <=0.4.0-dev.183) +5 more potentially affected by CVE-2026-34148 via @fedify/vocab-runtime (>=2.0.0-dev.100 <=2.0.7)

@fedify/vocab-runtime NPM version =2.0.0-dev.100, =0.4.0-dev.182, =0.4.0-dev.182, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.16 Source cves: CVE-2026-34148 Source advisory: SNYK:JS-FEDIFYVOCABRUNTIME-15928877...

CVE-2026-33943

Happy DOM CVE-2026-33943 involves a code-injection vulnerability in the ECMAScriptModuleCompiler: in versions 15.10.0 through 20.8.7, unsanitized content within export { ... } in ES modules is interpolated into generated code as an executable expression, with backticks not removed, enabling templ...

PT-2026-27130

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the...

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

Overview Affected versions of this package are vulnerable to Failure to Sanitize Special Elements into a Different Plane Special Element Injection in the processing of the X-Nuclio-Arguments HTTP header, which is incorporated into shell commands without validation or sanitization. An attacker can...

Sandbox escape via infinite recursion and error objects

Note: The npm package has moved to @enclave-vm/core formerly enclave-vm. All fixed versions and guidance refer to @enclave-vm/core. Summary The existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the err...

MiracleLinux 8 : dotnet3.1-3.1.423-1.el8.ML.1 (AXSA:2022-3850:11)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-3850:11 advisory. dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion. CVE-2022-38013 Tenable has extracted the precedin...

ABB B&R Automation Runtime

SUMMARY ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that resolves a vulnerability. An attacker who successfully exploited this vulnerability could cause the product to stop. 2. FREQUENTLY ASKED QUESTIONS What causes the...

EulerOS 2.0 SP12 : docker-runc (EulerOS-SA-2026-1087)

According to the versions of the docker-runc package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 throug...

CVE-2023-40370

IBM Robotic Process Automation 21.0.0 through 21.0.7.1 runtime is vulnerable to information disclosure of script content if the remote REST request computer policy is enabled. IBM X-Force ID: 263470...

Security Bulletin: IBM Rational® Application Developer for WebSphere® Software is vulnerable to a remote attack to compromise Java SE

Summary IBM® SDK, Java™ Technology Edition, is used by IBM Rational® Application Developer for WebSphere® Software as the runtime and development kit. CVE-2025-53066 Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could...

TencentOS Server 4: java-21-konajdk (TSSA-2025:0409)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0409 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

RockyLinux 8 : kernel-rt (RLSA-2025:17812)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2025:17812 advisory. kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 CVE-2022-50228 kernel: Bluetooth: L2CAP: Fix use-after-free CVE-2023-53305...

HTTP Request Smuggling

Overview Microsoft.AspNetCore.App.Runtime.linux-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to HTTP Request Smuggling via the interpretation of...