Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality (CVE-2025-62718)

Summary Node.js module axios is used by IBM App Connect Enterprise Certified Container for HTTP communications. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in...

NPM: Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

NPM: Axios: unbounded recursion in toFormData causes DoS via deeply nested request data vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

NPM: Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Header Injection via Prototype Pollution

NPM: Axios: Header Injection via Prototype Pollution vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

Astra Linux – Vulnerability in python-eventlet

Eventlet is a concurrent networking library for Python. A WebSocket peer may exhaust memory on the Eventlet side by sending very large WebSocket frames. A malicious peer may also exhaust memory on the Eventlet side by sending highly compressed data frames. A patch in version 0.31.0 restricts...

CVE-2026-27627

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify,...

CVE-2026-27627 Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify,...

CVE-2026-27627 Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify,...

PT-2026-21852

Name of the Vulnerable Software and Affected Versions Karakeep version 0.30.0 Description Karakeep is an elf-hostable bookmark-everything app. Version 0.30.0 does not properly sanitize HTML content received from the Reddit metascraper plugin. Specifically, when the plugin returns...

CVE-2025-65017

Decidim’s private data export vulnerability (CVE-2025-65017) affects Decidim versions 0.30.0–0.30.3 and 0.31.0.rc1–0.31.0, where UUID generation can collide, leading to data leaks via private data exports. The root cause is UUID collision during export generation, enabling potential exposure of p...

CVE-2025-65017 Decidim's private data exports can lead to data leaks

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 an...

EUVD-2025-206733

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 an...

Valibot 安全漏洞

Valibot is an Open Circle open source library for structured data validation. A security vulnerability exists in Valibot versions 0.31.0 through 1.1.0, which stems from EMOJIREGEX being susceptible to a regular expression denial-of-service attack that could result in a denial of service of the...

EUVD-2021-0072

Malware in sbrugna...

EUVD-2021-1195

Malware in sbrugna...

[SECURITY] Fedora 42 Update: rust-rusqlite-0.31.0-6.fc42

Ergonomic wrapper for SQLite...

CVE-2020-15222

In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.31.0, when using "privatekeyjwt" authentication the uniqueness of the jti value is not checked. When using client authentication method "privatekeyjwt", OpenId specification says the following about asserti...

GHSA-7PRJ-HGX4-2XC3 Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy

A security issue was identified in the NanoProxy project related to the golang.org/x/crypto dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates. Impact: The specif...

Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy

A security issue was identified in the NanoProxy project related to the golang.org/x/crypto dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates. Impact: The specif...

Always-Incorrect Control Flow Implementation

Overview evm is a SputnikVM: Rust Ethereum Virtual Machine Implementation. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation as the opcode's condition is checked after the destination validity check, while according to Geth and OpenEthereum, the...