CVE-2026-49401

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done...

CVE-2026-45135 Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct fla...

CVE-2026-49401

CVE-2026-49401 describes a permission bypass in Deno on macOS APFS prior to v2.7.14. The denial checks for --deny-read/--deny-write/--deny-run/--deny-ffi were performed at the raw-byte level, but APFS considers different Unicode spellings of the same name as the same file. This allowed a process ...

CVE-2026-49401 Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done...

CVE-2026-57053

GNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs because of mishandling in idnatounicodeinternal. The affected code is not present in libidn2...

EUVD-2026-38523

GNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs because of mishandling in idnatounicodeinternal. The affected code is not present in libidn2...

CVE-2026-54911

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different...

CVE-2026-50555

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino wh...

CVE-2026-50555

Summary: CVE-2026-50555 affects the @angular/platform-server SSR path via the domino DOM emulation dependency. A Unicode index alignment bug in domino’s escaping logic caused astral Unicode characters preceding closing tags (such as,,) to misalign the escape/replacement, leaving the closing tag u...

CVE-2026-50555 Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @angular/platform-server

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino wh...

CVE-2026-9265

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in printattribute UTF8STRING path. printattribute copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen on...

Astra Linux – Vulnerability in Shadow

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn change finger. Although it is not possible to exploit this directly for example, adding a new user fails because \n is in the block list, it is possible to misrepresent the /etc/passwd file...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: Issue: Skipping the reallocation of the Unicode buffer when the console size is resized after exiting the AltScreen mode. When the enteraltscreen function saves vcunilines into vcsavedunilines and sets vcunilines to NULL, a...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer The syzbot report indicates a kernel vulnerability at the vcsread function 1. The buffer can be read immediately after the resizing operation. Initialize the buffer using kzalloc...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: Unicode: Fixed the error path in utf8load. utf8load requests the symbol “utf8datatable” and then checks whether the requested UTF-8 version is supported. If it’s not supported, it attempts to load the data table using symbolput. ...

Astra Linux – Vulnerability in ICU

It was discovered that International Components for Unicode ICU-20850 v66.1 contains a use after free bug in the pkgcreateWithAssemblyCode function in the tools/pkgdata/pkgdata.cpp file...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: “vt: fix unicode buffer corruption when deleting characters” This is the same issue that was fixed for the VGA text buffer in commit 39cdb68c64d8 “vt: fix memory overlapping when deleting chars in the buffer”. The solution is als...

PT-2026-51093

Name of the Vulnerable Software and Affected Versions UltraJSON versions prior to 5.13.0 Description The functions ujson.dumps, ujson.dump, and ujson.encode contain an issue when the reject bytes variable is set to False. In this configuration, the software may accept malformed or truncated UTF-8...

Siemens RUGGEDCOM RST2428P Out-of-bounds Write (CVE-2026-1489)

A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds write...

Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Summary Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different...