CVE-2026-32792

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support '--enable-dnscrypt'. A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit...

PT-2026-41995

Name of the Vulnerable Software and Affected Versions libheif versions prior to 1.22.0 Description An unsigned integer underflow occurs in the Chunk constructor when processing a crafted HEIF sequence file containing samples per chunk=0 in the stsc box. This causes all samples to map to an empty...

ALPINE-CVE-2026-40170

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2qlogparameterssettransportparams serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport...

SUSE CVE-2026-27489

Open Neural Network Exchange ONNX is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0...

CVE-2026-27489

CVE-2026-27489 is linked to a concrete vulnerability in ONNX where a path-traversal via symlink exists in the external data handling. The root cause is that the symlink check uses std::filesystem::is_regular_file which follows symlinks, allowing an attacker to trick the loader into reading arbitr...

CVE-2026-30892 Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the crun exec option -u --user is incorrectly parsed. The value 1 is interpreted as UID 0 and GID 0 when it should have been UID 1 and GID 0. The process thus runs with higher privileges than expected...

CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless...

CVE-2026-24846 malcontent's archive extraction could write outside extraction directory

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The...

PT-2026-5354

Name of the Vulnerable Software and Affected Versions malcontent versions 1.8.0 through 1.20.2 Description malcontent may allow for the creation of symlinks outside the intended extraction directory when scanning specially crafted tar or deb archives. This occurs because the handleSymlink functio...

CVE-2025-40979 DLL search order hijack in Wave by Grandstream Networks

DLL search order hijacking vulnerability in the wave.exe executable for Windows 11, version 1.27.8. Exploitation of this vulnerability could allow attackers with local access to execute arbitrary code by placing an arbitrary file in the 'C:\Users\AppData\Local\Temp' directory, which could lead to...

EU Cookie Compliance 安全漏洞

EU Cookie Compliance is a web plugin for the Drupal community. A security vulnerability exists in EU Cookie Compliance versions prior to 1.26.0 that stems from improper input neutralization and could lead to a cross-site scripting attack...

CVE-2023-30785

Unauth. Reflected Cross-Site Scripting XSS vulnerability in I Thirteen Web Solution Video Grid plugin = 1.21 versions...

WordPress NertWorks All in One Social Share Tools plugin <=1.26 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by johska in WordPress Plugin NertWorks All in One Social Share Tools versions = 1.26...

Mozilla Firefox Security Vulnerability

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability previously existed in Mozilla Firefox version 120, which originated from a method that could imprint a user to load an insecure http page...

SUSE go 注入漏洞

SUSE go is an expressive, concurrent, garbage-collecting general purpose/systems programming language from SUSE, Germany. A security vulnerability exists in SUSE go version 1.20 that stems from improper handling of empty HTML attributes...

JetBrains Toolbox 安全漏洞

JetBrains Toolbox is a JetBrains product management application from the Czech company JetBrains. A security vulnerability exists in JetBrains Toolbox App versions prior to 1.28. An attacker exploited the vulnerability to perform a DYLIB injection attack...

PT-2022-13632 · Softing · Softing Secure Integration Server

Name of the Vulnerable Software and Affected Versions: Softing Secure Integration Server version V1.22 Description: A denial-of-service condition can be created in the software by sending a crafted HTTP packet with a large content-length header. This issue affects the Softing Secure Integration...

Vulnerability fixed in Cacti

A vulnerability has been fixed in Cacti. The vulnerability allows a remote malicious person to bypass authentication when using LDAP to authenticate. The developers of Cacti have fixed the vulnerability in version v.1.20. For more information, see:...

PT-2019-11744 · Jenkins · Jenkins Configuration As Code Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Configuration as Code Plugin versions 1.20 and earlier Jenkins Configuration as Code Plugin versions prior to 1.25 Description: The issue concerns the handling of the proxy password in the Jenkins Configuration as Code Plugin...

CVE-2017-8977

A Remote Denial of Service vulnerability in Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance version v1.20 was found...