SDLLMFuzz: Dynamic-Static LLM-Assisted Greybox Fuzzing for Structured Input Programs

Fuzzing has become a widely adopted technique for vulnerability discovery, yet it remains ineffective for structured-input programs due to strict syntactic constraints and limited semantic awareness. Traditional greybox fuzzers rely on mutation-based strategies and coarse-grained coverage feedbac...

False Security Confidence in Benign LLM Code Generation

Prior work has demonstrated that functionally correct yet vulnerable outputs arise systematically in threat-oriented settings, where adversarial or implicit channels are used to induce security failures in code agents and automated patching workflows. This note introduces a complementary but...

USN-8182-1: Rack vulnerabilities

Andrew Lacambra discovered that Rack did not properly parse certain regular expressions. An attacker could possibly use this issue to bypass network security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. CVE-2026-26961 William T. Nelson...

USN-8182-1 ruby-rack vulnerabilities

Andrew Lacambra discovered that Rack did not properly parse certain regular expressions. An attacker could possibly use this issue to bypass network security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. CVE-2026-26961 William T. Nelson...

Allocation of Resources Without Limits or Throttling

Overview org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via static resource resolution. An attacker can cause denia...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : Rack vulnerabilities (USN-8182-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8182-1 advisory. Andrew Lacambra discovered that Rack did not properly parse certain regular...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007471)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007471 advisory. In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: Fix a possible warning in privcmdioctlmmapresource As 'kdata.num' is user-controlled...

@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +626 more potentially affected by CVE-2026-6410 via @fastify/static (>=8.0.0 <=9.1.0)

@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =2.0.0, =1.0.0, =1.1.0 and more Source cves: CVE-2026-6410 Source advisory: OSV:GHSA-PR96-94W5-MX2H...

EUVD-2026-23243

@fastify/static vulnerable to path traversal in directory listing...

@fastify/static vulnerable to path traversal in directory listing

Impact @fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path to resolve a directory outside the root via path.join without a containment check. A remote...

GHSA-PR96-94W5-MX2H @fastify/static vulnerable to path traversal in directory listing

Impact @fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path to resolve a directory outside the root via path.join without a containment check. A remote...

EUVD-2026-23227

@fastify/static vulnerable to route guard bypass via encoded path separators...

@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +626 more potentially affected by CVE-2026-6414 via @fastify/static (>=8.0.0 <=9.1.0)

@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =2.0.0, =1.0.0, =1.1.0 and more Source cves: CVE-2026-6414 Source advisory: OSV:GHSA-X428-GHPX-8J92...

GHSA-X428-GHPX-8J92 @fastify/static vulnerable to route guard bypass via encoded path separators

Impact @fastify/static v9.1.0 and earlier decodes percent-encoded path separators %2F before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/ do not match /admin%2Fsecret.html, but @fastify/static decodes it to...

@fastify/static vulnerable to route guard bypass via encoded path separators

Impact @fastify/static v9.1.0 and earlier decodes percent-encoded path separators %2F before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on /admin/ do not match /admin%2Fsecret.html, but @fastify/static decodes it to...

CVE-2026-6414

A flaw was found in @fastify/static. A remote attacker can exploit this vulnerability by sending specially crafted requests that include percent-encoded path separators. This mismatch in how @fastify/static decodes these separators compared to the Fastify router allows the attacker to bypass...

CVE-2026-6410

A flaw was found in @fastify/static. When directory listing is enabled, a remote unauthenticated attacker can exploit a path traversal vulnerability. This occurs because the dirList.path function incorrectly resolves directories outside the configured static root. Successful exploitation allows t...

CVE-2026-5426 KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks...

CVE-2026-5426

CVE-2026-5426 affects Digital Knowledge KnowledgeDeliver prior to Feb 24, 2026, due to a hard-coded ASP.NET/IIS machineKey in web.config. This flaw enables unauthenticated attackers to bypass ViewState validation and achieve remote code execution via crafted ViewState deserialization. In observed...

CVE-2026-5426 KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks...