CVE-2026-33725

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

EUVD-2026-16070

Saloon has insecure deserialization in AccessTokenAuthenticator...

SUSE-SU-2026:1107-1 Security update for python312

This update for python312 fixes the following issues: Update to Python 3.12.13: - CVE-2025-6075: quadratic complexity in os.path.expandvars bsc1252974. - CVE-2025-11468: header injection with carefully crafted inputs bsc1257029. - CVE-2025-12084: quadratic complexity in xml.minidom node ID cache...

CVE-2026-33725

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

CVE-2026-33728 dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access ...

CVE-2026-33725

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

CVE-2026-33725 Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

EUVD-2026-16502

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

CVE-2026-33725

Metabase Enterprise (all versions dating back to at least 1.47) prior to 1.59.4 include a vulnerability where authenticated admins can trigger Remote Code Execution (RCE) and Arbitrary File Read via POST /api/ee/serialization/import. A crafted serialization archive injects an INIT property into t...

CVE-2026-33725 Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution RCE and Arbitrary File Read via the...

Datadog Java APM 代码问题漏洞

Datadog Java APM is an open-source Java application performance monitoring and tracing library developed by Datadog, Inc. Versions of Datadog Java APM prior to 1.60.2 contained a code vulnerability. This vulnerability stemmed from the RMI tool’s custom endpoints, where deserialization of data did...

OpenTelemetry Instrumentation for Java 代码问题漏洞

OpenTelemetry Instrumentation for Java is an open-source Java proxy JAR developed by OpenTelemetry. There were code-related vulnerabilities in versions of OpenTelemetry Instrumentation for Java prior to 2.26.1. These vulnerabilities stemmed from the fact that custom endpoints registered by RMI...

UBUNTU-CVE-2026-33635

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding...

SUSE-SU-2026:1090-1 Security update for python3

This update for python3 fixes the following issues: - CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator bsc1257181...

CVE-2026-3967

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

UBUNTU-CVE-2026-23340

In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdiscresetalltxgt vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netifsetrealnumtxqueues calls qdiscresetalltxgt to flush qdiscs for queues which will no longer be used...

CVE-2026-23340

In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdiscresetalltxgt vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netifsetrealnumtxqueues calls qdiscresetalltxgt to flush qdiscs for queues which will no longer be used...

PT-2026-28512

Name of the Vulnerable Software and Affected Versions Metabase Enterprise versions 1.47 through 1.54.21 Metabase Enterprise versions 1.55.0 through 1.55.21 Metabase Enterprise versions 1.56.0 through 1.56.21 Metabase Enterprise versions 1.57.0 through 1.57.15 Metabase Enterprise versions 1.58.0...

CRLF Injection

Overview icalendar is an Implements the iCalendar specification RFC-5545 in Ruby. This allows for the generation and parsing of .ics files, which are used by a variety of calendaring applications. Affected versions of this package are vulnerable to CRLF Injection via the serialization process of...

Security Bulletin: Communications Server (CS) for Data Center Deployment, CS for Linux, and CS for Linux on System z are affected by: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2024 - Includes Oracle October 2024 CPU plus CVE-2024-10917

Summary Communications Server CS for Data Center Deployment, CS for Linux, and CS for Linux on System z install a local Java JRE in its product directories. This JRE is used solely for the IBM Key Manager ikeyman tool which is called by the snakeyman script used for managing the SSL key database...