GHSA-5MF9-H53Q-7MHQ vulnerabilities

Vulnerabilities for packages: awx, authentik, authentik-fips, label-studio...

ROS-20260410-73-0004

A vulnerability in the Node.js software platform involves an incorrect restriction of the path name of a restricted directory. Exploitation of the vulnerability could allow an attacker to compromise the system...

ROS-20260410-73-0017

Vulnerability in expat related to null pointer dereferencing. Exploitation of the vulnerability could allow an attacker to cause a denial of service...

ROS-20260410-73-0016

Vulnerability in curl related to authentication bypass due to an initial bug. Exploitation of the vulnerability could allow an attacker acting remotely to escalate their privileges...

ROS-20260410-73-0009

Vulnerability in libssh related to incorrect external control of file name or path. Exploitation of the vulnerability could allow an attacker to escalate privileges...

SUSE CVE-2026-5918

Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...

CVE-2026-21713 affecting package nodejs for versions less than 20.14.0-15

CVE-2026-21713 affecting package nodejs for versions less than 20.14.0-15. A patched version of the package is available...

CVE-2026-5264

Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow...

GHSA-W8RR-5GCM-PP58 vulnerabilities

Vulnerabilities for packages: distribution, dapr, knative-eventing, zot, gitlab-kas, spicedb, hubble, ferretdb, grafana-alloy, kubeflow-pipelines, prometheus, gitaly, docker-cli-buildx, grafana-pyroscope, headlamp, docker, kubo, opentelemetry-collector, tekton-pipelines, thanos, gatekeeper, corte...

CVE-2026-5439

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value,...

CVE-2026-34757

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from pnggetPLTE, pnggettRNS, or pnggethIST back into the corresponding setter on the same...

minimatch: minimatch: Denial of Service via specially crafted glob patterns

A flaw was found in minimatch. A remote attacker could exploit this Regular Expression Denial of Service ReDoS vulnerability by providing a specially crafted glob pattern. This pattern, containing numerous consecutive wildcard characters, causes excessive processing and exponential backtracking i...

GHSA-92PP-H63X-V22M vulnerabilities

Vulnerabilities for packages: langfuse, wazuh-dashboard, wazuh-dashboard-fips, langfuse-fips, kibana, opensearch-dashboards-fips, librechat, gemini-cli, opensearch-dashboards...

CVE-2026-5913

Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5888

Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-39881

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol...

GHSA-G7C4-WV7Q-GCC6 vulnerabilities

Vulnerabilities for packages: glibc...

GHSA-JMFJ-8GXC-CG8C vulnerabilities

Vulnerabilities for packages: grafana, grafana-fips...

CVE-2026-32280

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls...

CVE-2026-27140

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass...