EUVD-2026-36264

tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences e.g., ....

MAL-2026-5003 Malicious code in @cloudplatform-single-spa/vpn (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

MAL-2026-4954 Malicious code in @cloudplatform-single-spa/observability (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

Astra Linux - уязвимость в glib2.0

A flaw was discovered in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability enables a local attacker to...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: glib2 (UTSA-2026-016789)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016789 advisory. A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform pat...

CVE-2026-35342 uutils coreutils mktemp Insecure Temporary File Placement via Empty TMPDIR

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the...

CLSA-2026-1776329620 glib2: Fix of 6 CVEs

CVE-2026-1489: fix integer overflow in Unicode case conversion functions - CVE-2026-1484: fix integer overflow in GLib Base64 encoding - CVE-2025-14512: fix integer overflow in escapebytestring for byte strings with many invalid characters - CVE-2026-1485: fix buffer underflow in content type...

CLSA-2026-1776246056 glib2: Fix of 5 CVEs

CVE-2026-1489: fix integer overflow in Unicode case conversion functions - CVE-2026-1484: fix integer overflow in GLib Base64 encoding - CVE-2026-1485: fix buffer underflow in content type treemagic parsing - CVE-2026-0988: fix integer overflow in gbufferedinputstreampeek - CVE-2025-7039: fix...

JLSEC-2026-103 Insufficient permission checking in `Deno.makeTemp*` APIs

Impact Insufficient validation of parameters in Deno.makeTemp APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a Deno.makeTemp API...

CVE-2026-32988

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes...

USN-8127-1 imagemagick vulnerabilities

It was discovered that ImageMagick did not properly process certain tags prior to an image being loaded. An attacker could possibly use this issue to cause ImageMagick to crash, resulting in a denial of service. CVE-2026-23952 It was discovered that ImageMagick did not properly handle temporary...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through the handling of temporary file creation and population in the sandboxed file system bridge. An attacker can write arbitrary data...

GHSA-P33R-FQW2-RQMM ImageMagick has NULL pointer dereference in ReadSFWImage after DestroyImageInfo (sfw.c)

In ReadSFWImage coders/sfw.c, when temporary file creation fails, readinfo is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR:...

DEBIAN-CVE-2026-25795

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in ReadSFWImage coders/sfw.c, when temporary file creation fails, readinfo is destroyed before its filename member is accessed, causing a NULL pointer dereferen...

NULL Pointer Dereference

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

NULL Pointer Dereference

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

NULL Pointer Dereference

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

NULL Pointer Dereference

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

NULL Pointer Dereference

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

NULL Pointer Dereference

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...