GHSA-JMR7-XGP7-CMFJ vulnerabilities

Vulnerabilities for packages: tileserver-gl, renovate, saf, prism, jitsucom-jitsu, kubeflow-pipelines...

CVE-2026-0810

A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed...

GHSA-5GVR-285Q-PWC3 vulnerabilities

Vulnerabilities for packages: linux-aws, linux-qemu, linux-azure, linux-qemu-rc, linux-vmware, linux-gcp, linux-qemu-melange...

CVE-2026-22690

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be...

CVE-2023-54068

In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix to call f2fswaitonpagewriteback in f2fswriterawpages BUGON will be triggered when writing files concurrently, because the same page is writtenback multiple times. 1597 void folioendwritebackstruct folio folio...

CVE-2025-59935

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch...

CVE-2025-65431

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferredusername as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead...

GHSA-4QG8-FJ49-PXJH vulnerabilities

Vulnerabilities for packages: witness, tekton-chains, goreleaser, falcoctl, spire-server, cosign, neuvector-sigstore-interface, zarf, gh, ko, docker-cli-buildx, gitsign, kyverno, vexctl, skaffold, policy-controller, kyverno-notation-aws, crossplane, sigstore-scaffolding, kubescape, aactl, tkn,...

CVE-2025-63499

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting XSS via the theme parameter...

CVE-2025-12638

Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.getfile function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall method without the security-critical filter='data' parameter. Although Keras attempts...

CVE-2025-61664

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normalexit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after...

CVE-2025-62588

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization component: Core. Supported versions that are affected are 7.1.12 and 7.2.2. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromis...

GHSA-X7HR-W5R2-H6WG vulnerabilities

Vulnerabilities for packages: opensearch-dashboards-fips, kibana, opensearch-dashboards...

GHSA-WX3R-HH3W-28WG vulnerabilities

Vulnerabilities for packages: openjdk-26-openj9, openjdk-8-openj9, openjdk-25-openj9, openjdk-11-openj9, openjdk-17-openj9, openjdk, openjdk-21-openj9...

CVE-2025-53029

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization component: Core. The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...

CVE-2025-38333

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to bail out in getnewsegment ------------ cut here ------------ WARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 newcurseg+0x5e8/0x6dc pc : newcurseg+0x5e8/0x6dc Call trace: newcurseg+0x5e8/0x6dc...

CVE-2025-4517

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or TarFile.extract using the filter= parameter with a value of...

Exploit for Deserialization of Untrusted Data in Apache Tomcat

Testing any tomcat version to see whether that version is vuln...

CVE-2025-22153

RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using try/except, RestrictedPython starting...

CVE-2025-21613

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only...