CVE-2026-32814 libheif: Uninitialized Heap Memory Information Leak via Failed Grid Tiles

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strictdecoding=false the default, a corrupted tile silently fails to decode and the library returns heiferrorOk with no indication of failure, leading to an uninitialized...

CVE-2026-32814

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strictdecoding=false the default, a corrupted tile silently fails to decode and the library returns heiferrorOk with no indication of failure, leading to an uninitialized...

GHSA-C35Q-VXRP-PH26 Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)

Impact Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery SSRF. Patches Fixes are...

CLSA-2026-1777946314 httpd: Fix of 4 CVEs

CVE-2024-42516: fix HTTP response splitting in core via Content-Type response header headerfilter rewrite - CVE-2024-43204: prevent SSRF via modheaders RequestHeader set/edit Content-Type modifying response headers - CVE-2024-43394: expand UNC path checking with new apstatcheck helper Linux:...

web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling

Summary web3.py implements CCIP Read / OffchainLookup EIP-3668 by performing HTTP requests to URLs supplied by smart contracts in offchainlookuppayload"urls". The implementation uses these contract-supplied URLs directly after sender / data template substitution without any destination validation...

PT-2026-29855

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...

PT-2026-23095

Name of the Vulnerable Software and Affected Versions SVGO versions 2.1.0 through 2.8.0 SVGO versions 3.0.0 through 3.3.2 SVGO versions prior to 4.0.1 Description SVGO is susceptible to a denial-of-service issue stemming from improper handling of XML custom entities. Specifically, the software do...

GHSA-7777-FHQ9-592V ZITADEL has potential SSRF via Actions

Summary ZITADEL Action V2 introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0 is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. ZITADEL's Action target URLs can point to local hosts, potentially allowing...

Cache Poisoning

Overview axios-cache-interceptor is a Cache interceptor for axios Affected versions of this package are vulnerable to Cache Poisoning by ignoring the Vary HTTP header. An attacker can access unauthorized cached responses to obtain sensitive user data by sending requests with multiple different...

CVE-2020-28870

In InoERP 0.7.2, an unauthorized attacker can execute arbitrary code on the server side due to lack of validations in /modules/sys/formpersonalization/jsonfp.php...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection through the SVG parser. An attacker can perform server-side request forgery, disclose internal image files, and execute PHAR deserialization attacks by manipulating XML input. Note: This vulnerability i...

PT-2023-29522 · Unknown · Online Food Ordering System

Name of the Vulnerable Software and Affected Versions: Online Food Ordering System version 1.0 Description: The issue concerns multiple Unauthenticated SQL Injection vulnerabilities in the Online Food Ordering System. Specifically, the role parameter of the routers/user-router.php resource does n...

MGASA-2022-0298 Updated libgsasl packages fix security vulnerability

GNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client. CVE-2022-2469...

CVE-2022-27139

An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploadin...

PT-2018-15375 · Telegram · Telegram

Name of the Vulnerable Software and Affected Versions: Telegram version 4.9.1 Telegram Web-version 0.7.0 Description: The issue concerns a side channel in the "secret chat" feature where Telegram servers send GET requests for URLs typed while composing a chat message, before the message is sent...

XStream: remote code execution due to insecure XML deserialization

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream...