PT-2026-48892

Name of the Vulnerable Software and Affected Versions OpenTelemetry-cpp versions prior to 1.27.0 Description The OTLP HTTP exporters for traces, metrics, and logs read the complete HTTP response into an in-memory vector of bytes without implementing a size limit. This can lead to memory exhaustio...

CVE-2026-50563 Fission Container Executor Function PodSpec Injection Leading to Node Escape

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the...

PT-2026-48509

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs fo...

CVE-2026-32792

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support '--enable-dnscrypt'. A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit...

PT-2026-41995

Name of the Vulnerable Software and Affected Versions libheif versions prior to 1.22.0 Description An unsigned integer underflow occurs in the Chunk constructor when processing a crafted HEIF sequence file containing samples per chunk=0 in the stsc box. This causes all samples to map to an empty...

ALPINE-CVE-2026-40170

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2qlogparameterssettransportparams serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport...

SUSE CVE-2026-27489

Open Neural Network Exchange ONNX is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0...

CVE-2026-27489

CVE-2026-27489: Open Neural Network Exchange (ONNX) prior to 1.21.0 suffers a path-traversal via symlink vulnerability that allows reading files outside the model or user directory. Affected product detail in IBM Watson Speech Services Cartridge (versions 4.0.0–5.3.1); fix is in 5.3.1 Patch 5 (5....

CVE-2026-30892 Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the crun exec option -u --user is incorrectly parsed. The value 1 is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected...

CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

CVE-2026-24846 malcontent's archive extraction could write outside extraction directory

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The...

PT-2026-5354

Name of the Vulnerable Software and Affected Versions malcontent versions 1.8.0 through 1.20.2 Description malcontent may allow for the creation of symlinks outside the intended extraction directory when scanning specially crafted tar or deb archives. This occurs because the handleSymlink functio...

CVE-2025-40979 DLL search order hijack in Wave by Grandstream Networks

DLL search order hijacking vulnerability in the wave.exe executable for Windows 11, version 1.27.8. Exploitation of this vulnerability could allow attackers with local access to execute arbitrary code by placing an arbitrary file in the 'C:\Users\AppData\Local\Temp' directory, which could lead to...

EU Cookie Compliance 安全漏洞

EU Cookie Compliance is a web plugin for the Drupal community. A security vulnerability exists in EU Cookie Compliance versions prior to 1.26.0 that stems from improper input neutralization and could lead to a cross-site scripting attack...

CVE-2023-30785

Unauth. Reflected Cross-Site Scripting XSS vulnerability in I Thirteen Web Solution Video Grid plugin = 1.21 versions...

WordPress NertWorks All in One Social Share Tools plugin <=1.26 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by johska in WordPress Plugin NertWorks All in One Social Share Tools versions = 1.26...

Mozilla Firefox Security Vulnerability

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability previously existed in Mozilla Firefox version 120, which originated from a method that could imprint a user to load an insecure http page...

SUSE go 注入漏洞

SUSE go is an expressive, concurrent, garbage-collecting general purpose/systems programming language from SUSE, Germany. A security vulnerability exists in SUSE go version 1.20 that stems from improper handling of empty HTML attributes...

JetBrains Toolbox 安全漏洞

JetBrains Toolbox is a JetBrains product management application from the Czech company JetBrains. A security vulnerability exists in JetBrains Toolbox App versions prior to 1.28. An attacker exploited the vulnerability to perform a DYLIB injection attack...

PT-2022-13632 · Softing · Softing Secure Integration Server

Name of the Vulnerable Software and Affected Versions: Softing Secure Integration Server version V1.22 Description: A denial-of-service condition can be created in the software by sending a crafted HTTP packet with a large content-length header. This issue affects the Softing Secure Integration...