CVE-2026-29049 melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cau...

melange 代码问题漏洞

Melange is a software developed by Chainguard for building APKs from source code. Versions of Melange prior to 0.40.5 have code vulnerabilities. This vulnerability arises from the fact that the melange update-cache process downloads URIs in the build configuration using io.Copy without size limit...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the downloadFile function via the update-cache command. An attacker can cause disk exhaustion by supplying a malicious URI in the configuration, leading to unbounded downloads and...

GHSA-7RP8-R62P-Q6WC `melange update-cache` has unbounded HTTP download that can exhaust disk in CI

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions = 0.40.5. Fix: Merge...

`melange update-cache` has unbounded HTTP download that can exhaust disk in CI

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions = 0.40.5. Fix: Merge...

`melange update-cache` has unbounded HTTP download that can exhaust disk in CI

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions = 0.40.5. Fix: Merge...

PT-2026-23003

Name of the Vulnerable Software and Affected Versions melange versions prior to 0.40.5 Description melange enables users to create apk packages using declarative pipelines. In versions 0.40.5 and earlier, the melange update-cache function downloads URIs from build configurations using io.Copy...

MiracleLinux 8 : freerdp-2.2.0-1.el8 (AXSA:2021-2116:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2116:01 advisory. freerdp: out of bounds read in TrioParse CVE-2020-4030 freerdp: out of bound reads resulting in accessing memory location outside of static array...

ALSA-2025:12064 Important: unbound security update

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fixes: unbound: Unbound Cache poisoning CVE-2025-5994 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions via the updateCache function in the buildimplementation.go file. An attacker can gain unauthorized access to modify critical system files by exploiting overly permissive file permissions. Remediation Upgrad...

PT-2025-28390 · Unknown · Tia Administrator

Name of the Vulnerable Software and Affected Versions: TIA Administrator versions prior to V3.0.6 Description: A vulnerability has been identified in the affected application, allowing low-privileged users to trigger installations by overwriting cache files and modifying the download path. This...

PT-2025-16246 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.9 Mattermost versions 10.4.x through 10.4.3 Mattermost versions 10.5.x through 10.5.1 Description: The issue arises when a user account is converted to a bot, and the cache is not properly invalidated,...

SUSE CVE-2025-21933

In the Linux kernel, the following vulnerability has been resolved: arm: pgtable: fix NULL pointer dereference issue When updatemmucacherange is called by updatemmucache, the vmf parameter is NULL, which will cause a NULL pointer dereference issue in adjustpte: Unable to handle kernel NULL pointe...

The vulnerability of the `update_read_cache_bitmap_v3_order` function in the RDP client FreeRDP allows a hacker to trigger a service failure.

The vulnerability of the updatereadcachebitmapv3order function in the RDP client FreeRDP is related to a memory reclamation error. Exploiting this vulnerability could allow a malicious actor to cause service interruptions remotely...

RLSA-2022:7643 Important: bind9.16 security update

The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS protocols. BIND includes a DNS server named; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server is operating correctly. Security Fixes:...

GSD-2022-1000625 KVM: arm64: pkvm: Use the mm_ops indirection for cache maintenance

KVM: arm64: pkvm: Use the mmops indirection for cache maintenance This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.16.5 by commit...

freerdp: double free in update_read_cache_bitmap_v3_order function

In FreeRDP greater than 1.2 and before 2.0.0, a double free in updatereadcachebitmapv3order crashes the client application if corrupted data from a manipulated server is parsed. This has been patched in 2.0.0...

UBUNTU-CVE-2020-11096

In FreeRDP before version 2.1.2, there is a global OOB read in updatereadcachebitmapv3order. As a workaround, one can disable bitmap cache with -bitmap-cache default. This is fixed in version 2.1.2...

Discuz! X3. 1 Background to arbitrary code execution can take shell-vulnerability warning-the black bar safety net

See someone ask Discuz! X3. 1 Background how get shell, download it a look, before someone says HTML generation can take the shell, I yesterday the official website to download the version found, the static file extensions, limiting the htm/html. If the server does not exist parsing vulnerability...