2786 matches found
EUVD-2026-38779
A cross-site request forgery CSRF vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key...
RLSA-2026:28157 Important: python3.14-urllib3 security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
PT-2026-52038
Name of the Vulnerable Software and Affected Versions Tapo C200 v3 Description A denial-of-service DoS issue exists in the network packet handling logic due to improper processing of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause excessive resource...
EUVD-2026-38590
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed...
BIT-APISIX-2026-39998 Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...
[SECURITY] Fedora 44 Update: python3.14-3.14.6-1.fc44
Python 3.14 is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries...
CVE-2026-48510
MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed...
CVE-2026-54275
CVE-2026-54275 (aiohttp) affects the aiohttp package prior to 3.14.1. The issue is a TLS server_hostname SNI check bypass that occurs when an existing connection is reused for multiple requests with different per-request server_hostname values. As a result, later requests to the same domain may r...
DEBIAN-CVE-2026-12479
A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the DiskIOStore.make method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths...
MINI-M8QG-V3P9-C7CR
Bulletin has no description...
UBUNTU-CVE-2026-12805
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used...
CVE-2026-48774
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP runsqlreadonly tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword...
CVE-2026-48774
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP runsqlreadonly tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword...
CVE-2026-49871
CVE-2026-49871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations in Apache APISIX versions 3.0.0–3.16.0. The issue allows a remote attacker who can lure a victim to a controlled webpage to cause the victim’s browser to become authentic...
PT-2026-50883
Name of the Vulnerable Software and Affected Versions Apache APISIX versions 1.2.0 through 3.16.0 Description A Use of Less Trusted Source issue exists where an attacker can leverage the wolf-rbac plugin under default configuration. This allows for the potential pollution of logs with spoofed...
CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...
CVE-2026-42530
A flaw was found in the ngxhttpv3module module of NGINX. When NGINX is configured to use the HTTP/3 QUIC module, an attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream and cause a use-after-free issue, potentially allowing code execution or a denial of service by...
CVE-2026-55204
HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpackdhtinsert within src/hpack-tbl.c that fails to validate the return value of hpackdhtdefrag when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memo...
CVE-2026-50141
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agentid value into outgoing gRPC metadata. The server correctl...
ROOT-APP-GOBINARY-CVE-2025-62156 CVE-2025-62156 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root
Root has patched CVE-2025-62156 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...