ROS-20260615-73-0035

The vulnerability of the rtsreadauthverifiernochecks function in the FreeRDP client is related to the insufficient use of the assert function. Exploiting this vulnerability could allow a malicious actor to cause service failures...

SUSE-SU-2026:2365-1 Security update for cosign

This update for cosign fixes the following issue - CVE-2026-39395: Incorrect attestation verification due to malformed payloads or mismatched predicate types bsc1261859. Changes for cosign: - update to 3.0.6: Fix DSSE predicate check GHSA-w6c6-c85g-mmv6 4801 Handle whitespace-only certificate...

CVE-2026-44505

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handledhtget network-libp2p/src/swarm.rs. Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record...

EUVD-2026-35876

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handledhtget network-libp2p/src/swarm.rs. Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record...

CVE-2026-44505 Nimiq network-libp2p: Untrusted peer can wedge DHT

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handledhtget network-libp2p/src/swarm.rs. Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record...

CVE-2026-44505

The CVE affects Nimiq’s network-libp2p component (Rust) used in the Albatross-based PoS implementation. Before v1.4.0, when a peer returns a FoundRecord, the code verified the record via dht_verifier.verify and, on verifier error, logged and returned early without completing the oneshot used by N...

EUVD-2026-35283

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to...

PT-2026-48330

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle dht get network-libp2p/src/swarm.rs. Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the reco...

Medium: bouncycastle

Issue Overview: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all pkix modules. PKIX draft CompositeVerifier accepts empty signature sequence as valid. This issue affects BC-JAVA: from 1.49 before 1.84. CVE-2026-5588 Affected...

Amazon Linux 2023 : bouncycastle, bouncycastle-javadoc, bouncycastle-mail (ALAS2023-2026-1775)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1775 advisory. Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all pkix modules. PKIX draft CompositeVerifier accepts empty signature sequence as...

CVE-2026-41213

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the...

Race Condition

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Race Condition through a race condition in the OAuth token exchange. An attacker can obtain multiple valid token pairs by making concurrent requests using the same authorization code and PKCE verifier. Remediation...

Red Hat Quay 安全漏洞

Red Hat Quay is a container image repository platform operated by the American company Red Hat. Red Hat Quay has a security vulnerability; this vulnerability stems from the fact that GitLab’s OAuth verifier transmits sensitive credentials as plain-text parameters in URL queries, which may lead to...

Linux Distros Unpatched Vulnerability : CVE-2026-45903

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - bpf: Fix memory access flags in helper prototypes After commit 37cce22dbd51 bpf: verifier: Refactor helper access type tracking, the verifier started relying on...

CVE-2026-45041 RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TESTPRIVATEKEY and uses it in production via parselicense to "verify" license tokens. Because the key is embedded in every...

CVE-2026-45041

CVE-2026-45041 affects RustFS prior to 1.0.0-beta.2, where crates/appauth/src/token.rs embeds a 2048-bit RSA private key (TEST_PRIVATE_KEY) as a string constant and uses it in production to verify licenses. This allows anyone who can read the source or extract the key from binaries to mint arbitr...

PYSEC-2026-176

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

UBUNTU-CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

CVE-2026-48526

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the...