CVE-2026-25851 Chargemap chargemap.com Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

CLSA-2026-1772125283 nodejs: Fix of 4 CVEs

CVE-2025-23167: fix improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. - CVE-2025-59466: fix uncatchable stack overflow exceptions when asynchooks are enabled, preventing denial-of-service crashes in applications using AsyncLocalStorage or...

kernel: nbd: fix incomplete validation of ioctl arg

A flaw has been found in the Linux kernel’s NBD drivers.The issue stems from incomplete validation of IOCTL arguments passed to the NBD driver. Specifically, oversized or unchecked arguments may lead to a signed integer overflow in blockwritefullpage and misuse of argument values cast to int in...

kernel: Linux kernel: Denial of Service in ATM CLIP module via infinite recursion

A flaw was found in the Linux kernel's Asynchronous Transfer Mode ATM Classical IP CLIP module. A local user can trigger an infinite recursive call in the clippush function by repeatedly calling the ioctlATMARPMKIP system call. This vulnerability occurs when the socket is closed, leading to stack...

📄 FreeBSD Routing Socket Input Validation

This proof of concept exploit attempts to test the robustness of the FreeBSD routing socket subsystem by crafting a RTMADD message containing an intentionally oversized sockaddr structure salen greater than the traditional sockaddrstorage limit of 128 bytes...

PcVue 安全漏洞

PcVue is a reliable, secure, and powerful operational software platform developed by PcVue Corporation. It is specifically designed for monitoring and controlling applications in industries such as building management and park management. Versions 12.0.0 to 16.3.3 of PcVue contain security...

kernel: Linux kernel: Denial of Service in ATM CLIP module via infinite recursion

A flaw was found in the Linux kernel's Asynchronous Transfer Mode ATM Classical IP CLIP module. A local user can trigger an infinite recursive call in the clippush function by repeatedly calling the ioctlATMARPMKIP system call. This vulnerability occurs when the socket is closed, leading to stack...

kernel: tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

A flaw was found in the Linux kernel’s TCP implementation in the function tcpaddbacklog. When calculating the maximum acceptable backlog for TCP sockets, the sum of the receive buffer skrcvbuf, the send buffer sksndbuf, and a fixed constant may exceed the maximum value of a signed integer due to...

kernel: Linux kernel: Denial of Service in ATM CLIP module via infinite recursion

A flaw was found in the Linux kernel's Asynchronous Transfer Mode ATM Classical IP CLIP module. A local user can trigger an infinite recursive call in the clippush function by repeatedly calling the ioctlATMARPMKIP system call. This vulnerability occurs when the socket is closed, leading to stack...

kernel: ip6_vti: fix slab-use-after-free in decode_session6

A use-after-free vulnerability was found in the IPv6 VTI Virtual Tunnel Interface implementation in the Linux kernel. When an IPv6 VTI device uses the SFB Stochastic Fair Blue qdisc, the control block cb field of an skb can be modified during packet enqueuing. The decodesession6 function then rea...

kernel: ip6_vti: fix slab-use-after-free in decode_session6

A use-after-free vulnerability was found in the IPv6 VTI Virtual Tunnel Interface implementation in the Linux kernel. When an IPv6 VTI device uses the SFB Stochastic Fair Blue qdisc, the control block cb field of an skb can be modified during packet enqueuing. The decodesession6 function then rea...

buildah security update

1.41.8-2.0.1 - Drop nmap-ncat requirement and skip ignore-socket test case Orabug: 34117178 2:1.41.8-2 - Rebuild with golang 1.25.7 to fix CVE-2025-68121 - Resolves: RHEL-149617...

buildah security update

1.41.8-2.0.1 - Drop nmap-ncat requirement and skip ignore-socket test case Orabug: 34117178 2:1.41.8-2 - Rebuild for new golang to address CVE-2025-61726 - Resolves: RHEL-146715...

CVE-2026-27571 nats-server websockets are vulnerable to pre-auth memory DoS

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS...

CVE-2025-70043

An issue pertaining to CWE-295: Improper Certificate Validation was discovered in Ayms node-To master. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in TLS socket options...

FreeBSD Security Advisory - FreeBSD-SA-26:04.jail

FreeBSD Security Advisory - If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator h...

ROS-20260224-73-0013

A vulnerability in the Socket Appender component of the Apache Log4j Core logging library API implementation is related to incorrect certificate authentication. Exploitation of the vulnerability could allow a remote attacker to intercept log traffic...

CVE-2025-68930

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability in the /api/socket endpoint. The application fails to validate the Origin header during the WebSocket handshake. This allows a remote attacker to bypass...

CVE-2025-68930

Traccar open-source GPS tracking system versions up to 6.11.1 are affected by a Cross-Site WebSocket Hijacking (CSWSH) in the /api/socket endpoint. The vulnerability arises from the application not validating the Origin header during the WebSocket handshake, allowing an attacker to bypass Same-Or...

CVE-2025-68930 Traccar Missing Origin Validation in WebSockets

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability in the /api/socket endpoint. The application fails to validate the Origin header during the WebSocket handshake. This allows a remote attacker to bypass...