4432 matches found
Linux Distros Unpatched Vulnerability : CVE-2026-9697
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. The target HTTPS connection...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the upload function. An attacker can cause the server to become unresponsive for all users by sending a specially crafted multipart form-data request with an excessively long...
UNIX Symbolic Link (Symlink) Following
Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in the CRI checkpoint restore plugin due to improper validation of symlinked paths. An attacker can access arbitrary files on the host by crafting a malicious checkpoint image and leveraging the...
Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is affected by a HTTP Request/Response Smuggling Vulnerability in Eclipse Jetty (CVE-2026-2332)
Summary Eclipse Jetty is used by IBM DevOps Deploy / UrbanCode Deploy UCD to handle Agent Relay traffic. CVE-2026-2332. Vulnerability Details CVEID:CVE-2026-2332 DESCRIPTION: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the...
GHSA-HM92-R4W5-C3MJ undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
Impact When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This cause...
Astra Linux – Vulnerability in Redis
Redis is an in-memory database that persists data on disk.Authenticated users who execute specially crafted SETRANGE and SORTRO commands can trigger an integer overflow, causing Redis to attempt to allocate an impossible amount of memory and result in a Memory Out of Control OOM panic. This issue...
Astra Linux – Vulnerability in Redis
Redis is an open-source, in-memory database that persists data on disk. Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field, which will cause a crash in Redis when accessed in affected versions. This issue has been addressed in versions 7.0.11, 6.2.12, and 6.0.19...
Astra Linux – Vulnerability in Redis
Redis is an open-source, in-memory database that persists data on disk.Authenticated users can trigger a denial-of-service attack by using specially crafted, overly long pattern matching on supported commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and ACL definitions. Matchi...
Astra Linux – Vulnerability in lxml
Lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html allowed certain crafted script content to pass through, as well as script content in SVG files embedded using data URIs. Users who use the HTML Cleaner in a security-related...
Astra Linux – Vulnerability in Jetty9
Jetty is a Java-based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or perform unintended behaviors by tampering with the cookie parsing mechanism. If Jetty encounters a cookie value that starts with a double quot...
Astra Linux – Vulnerability in docker.io
Moby is an open-source project created by Docker to enable software containerization. A bug was discovered in Moby Docker Engine, where the data directory /var/lib/docker, contained subdirectories with insufficiently restricted permissions. This allowed unprivileged Linux users to access and...
Astra Linux – Vulnerability in ruby-rails-html-sanitizer
Rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, certain configurations of Rails::Html::Sanitizer could potentially introduce XSS vulnerabilities. An attacker could inject content if the application developer overrides the sanitizer’...
Astra Linux – Vulnerability in sqlparse
sqlparse is a non-validation SQL parser module for Python. In affected versions, the SQL parser contains a regular expression that is vulnerable to ReDoS Regular Expression Denial of Service. This issue was introduced by the commit e75e358. The vulnerability may lead to Denial of Service DoS. Thi...
Astra Linux – Vulnerability in Twig
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates whose names are user-inputs. It’s possible to use the source or include statement to read arbitrary files from outside the...
Astra Linux – Vulnerability in freerdp2
FreeRDP is a free implementation of the Remote Desktop Protocol RDP, released under the Apache license. This issue only affects clients. An integer underflow can lead to a Denial of Service DOS vulnerability, for example, an abort due to WINPRASSERT with default compilation flags. When an...
Astra Linux – Vulnerability in freerdp2
FreeRDP is a free implementation of the Remote Desktop Protocol RDP, released under the Apache license. Affected versions of FreeRDP are subject to a null pointer dereference that can lead to a crash in the RemoteFX rfx handling. Within the rfxprocessmessagetileset function, the program allocates...
Astra Linux – Vulnerability in freerdp2
FreeRDP is a free implementation of the Remote Desktop Protocol RDP, released under the Apache license. In affected versions, there is a Global-Buffer-Overflow in the ncrushdecompress function. Feeding crafted input into this function can trigger the overflow, which has only been shown to cause a...
SUSE CVE-2026-12151
Impact: The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...
PT-2026-50974
Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.18.0 Description The OIDC authenticator fails to validate the JWT audience aud claim when no audience is configured. In environments where a single identity provider issues tokens for multiple services, a token...
CVE-2026-50196 Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite...