LitmusChaos 安全特征问题漏洞

LitmusChaos is a program open-sourced by Litmus Chaos that practices chaos engineering in a cloud-native manner. LitmusChaos suffers from a Security Feature Issue vulnerability that stems from a JWT signing key that is too short, which could lead to authentication bypass...

PT-2025-49585

Name of the Vulnerable Software and Affected Versions Litmus Platform affected versions not specified Description The Litmus platform utilizes JWT for authentication and authorization; however, the JWT signing secret key is only 6 bytes in length, making it susceptible to cracking. This allows fo...

kernel security update

4.18.0-553.89.1 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and...

CVE-2025-34256

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote...

Securing the Model Context Protocol: Defending LLMs against Tool Poisoning and Adversarial Attacks

The Model Context Protocol MCP enables Large Language Models to integrate external tools through structured descriptors, increasing autonomy in decision-making, task execution, and multi-agent workflows. However, this autonomy creates a largely overlooked security gap. Existing defenses focus on...

EUVD-2025-201412

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication...

EUVD-2025-201293

Fulcio allocates excessive memory during token parsing...

CVE-2025-65730

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication...

PT-2025-49249

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication...

CVE-2025-65730

Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication...

CVE-2025-65730

GoAway vulnerability CVE-2025-65730 involves an authentication bypass due to a hardcoded secret used to sign JWT tokens. Affected software includes GoAway up to version 0.62.18, with remediation in 0.62.19. The issue arises from the hardcoded signing key, enabling bypass of authentication. Measur...

MalwareBytes Missing Signing / Privilege Escalation

This is older research from 2016 when Google found that MalwareBytes failed to sign packages and download them over a secure channel as well as various other security issues...

CVE-2025-66506

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

OPENSUSE-SU-2025:20138-1 Security update for act

This update for act fixes the following issues: - CVE-2025-47913: Prevent panic in embedded golang.org/x/crypto/ssh/agent client when receiving unexpected message types for key listing or signing requests boo1253608...

ROS-20251203-07

Vulnerability of C language module for signing and encryption of JSON objects latchset Jose is related to uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service. remotely to cause a denial of service...

EUVD-2025-200299

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges...

CVE-2025-13658

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges...

CVE-2025-13658 Industrial Video & Control Longwatch has a Code Injection vulnerability

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges...

kernel security update

5.14.0-611.11.1 - Disable UKI signing Orabug: 36571828 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug:...

kernel security update

4.18.0-553.87.1 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and...