22831 matches found
ROOT-OS-DEBIAN-13-CVE-2004-0230 CVE-2004-0230 in rootio-linux - Patched by Root
Root has patched CVE-2004-0230 in the rootio-linux package for Root:Debian:13. Multiple fixed versions available...
ROOT-OS-DEBIAN-13-CVE-2026-31511 CVE-2026-31511 in rootio-linux - Patched by Root
Root has patched CVE-2026-31511 in the rootio-linux package for Root:Debian:13. Multiple fixed versions available...
ROOT-OS-DEBIAN-13-CVE-2025-71077 CVE-2025-71077 in rootio-linux - Patched by Root
Root has patched CVE-2025-71077 in the rootio-linux package for Root:Debian:13. Multiple fixed versions available...
CVE-2026-56742
Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTPRoutes to mirror HTTP traffic to any Service in any namespace, bypassing the ReferenceGrant...
CVE-2025-32781
CVE-2025-32781 affects Apollo Portal prior to 2.5.0, where an authenticated user can request a release by ID (GET /envs/{env}/releases/{releaseId}) with configView.memberOnly.envs enabled and read configuration data from other applications/namespaces. Root cause: missing application/namespace per...
EUVD-2026-44723
Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...
EUVD-2026-44707
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...
EUVD-2026-44670
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS= combined with allowcredentials=True in lightrag/api/lightragserver.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin request...
ROOT-APP-NPM-CVE-2026-44574 CVE-2026-44574 in @rootio/next - Patched by Root
Root has patched CVE-2026-44574 in the @rootio/next package for Root:npm. Multiple fixed versions available...
EUVD-2026-44650
Grav v2.0.0 contains a cross-site scripting vulnerability fixed in 2.0.1. The XSS blueprint validator Security::detectXss runs on raw page content before Twig processing. When Twig content processing is enabled twigcontent.processenabled: true, an attacker with page-write API permission can use...
ROOT-OS-DEBIAN-12-CVE-2026-49346 CVE-2026-49346 in rootio-libde265 - Patched by Root
Root has patched CVE-2026-49346 in the rootio-libde265 package for Root:Debian:12. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2025-62718 CVE-2025-62718 in @rootio/axios - Patched by Root
Root has patched CVE-2025-62718 in the @rootio/axios package for Root:npm. Multiple fixed versions available...
PT-2026-60310
Name of the Vulnerable Software and Affected Versions Node Version Manager nvm versions 0.32.1 through 0.40.5 Description An issue exists where nvm ls-remote and other commands that refresh remote LTS aliases, such as nvm install --lts, parse the node.js mirror's index.tab and use the LTS codenam...
CVE-2026-49981
Twig is a template language for PHP. Prior to 3.27.0, the per-template filter, tag, and function allow-list verdict is computed when a Template instance is constructed and can remain cached after sandbox state changes between renders, allowing a later sandboxed render to reuse a template that was...
DEBIAN-CVE-2026-49854
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocketmask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided...
CVE-2026-46644 symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
Symfony Polyfill backports PHP features and provides compatibility layers for extensions and functions. From 1.17.1 until 1.38.1, symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload is empty or decodes to ASCII-only code points because Idn::process does not enforce the UTS 46...
CVE-2026-53486 decompress: Archive extraction can create files and links outside the target directory
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink...
CVE-2026-49978
CVE-2026-49978 affects DOMPurify, where IN_PLACE sanitization before version 3.4.7 could skip shadow contents inside a .content, allowing attacker-controlled markup (e.g., event handlers, JavaScript URLs, scripts) to survive during cloning and insertion of sanitized templates. The issue is fixed ...
CVE-2026-45069
CVE-2026-45069 concerns Symfony’s OidcTokenHandler, where verifyClaims() registered aud/iss/exp checkers but did not pass the mandatory claims list to ClaimCheckerManager::check(). Consequently, a validly signed JWT missing these claims could pass verification. The issue is fixed in Symfony relea...
CVE-2026-45069 Symfony: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, OidcTokenHandler::verifyClaims registered audience aud, issuer iss, and expiry exp checkers but did not pass the mandatory claims list to...