CVE-2026-47273

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pamusb builds XPath expressions from user-supplied identifiers PAM username, service name and device-supplied identifiers USB device serial, model, vendor to query /etc/pamusb.conf. These identifiers...

CVE-2026-47273 pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pamusb builds XPath expressions from user-supplied identifiers PAM username, service name and device-supplied identifiers USB device serial, model, vendor to query /etc/pamusb.conf. These identifiers...

CVE-2026-47273

CVE-2026-47273 affects pam_usb on Linux prior to 0.9.0. The vulnerability arises when pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB serial, model, vendor) to query /etc/pamusb.conf without validating XPath metacha...

Important: amazon-cloudwatch-agent

Issue Overview: Arithmetic over induction variables in loops were not correctly checked for underflow or overflow in the Go compiler cmd/compile. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption in programs compiled with...

ROOT-APP-GOBINARY-CVE-2026-32287 CVE-2026-32287 in rootio-github.com/antchfx/xpath - Patched by Root

Root has patched CVE-2026-32287 in the rootio-github.com/antchfx/xpath package for Root:Go. Multiple fixed versions available...

Alibaba Cloud Linux 3 : 0104: libxml2 (ALINUX3-SA-2026:0104)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2026:0104 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-9714: Uncontrolled recursion inXPath...

K000156734: BIG-IP Configuration utility vulnerability CVE-2026-40699

Security Advisory Description A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. CVE-2026-40699 Impact This vulnerability may allow a low-privileged authenticated...

PYSEC-2026-29

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpathfilter switches to XML mode for XML/RSS content and creates etree.XMLParserstripcdata=False without explicitly disabling external entity resolution, external DTD loading, or network-backed entity...

xpath 1.0.0

xpath is a multi-technique XPath injection scanner written entirely in Nim with no external dependencies. It's a single static binary that handles error-based, boolean blind, time-based blind, union injection, and authentication bypass detection, plus data extraction once injection is confirmed. ...

BIT-JRE-2025-24855

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal...

BIT-JAVA-MIN-2025-24855

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal...

BIT-JAVA-2025-24855

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal...

XML External Entity (XXE) Injection

Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to XML External Entity XXE Injection via the xpathfilter process. An attacker can access sensitive local files by supplying crafted XML or RSS content containing...

PT-2026-37163

Name of the Vulnerable Software and Affected Versions changedetection.io versions 0.54.9 and earlier Description The software contains an XML External Entity XXE issue where the xpath filter function switches to XML mode for XML/RSS content and creates an etree.XMLParserstrip cdata=False without...

Important: Red Hat Security Advisory: Red Hat build of OpenTelemetry 3.9.2 release

Red Hat build of OpenTelemetry 3.9.2 has been released This release of the Red Hat build of OpenTelemetry provides security improvements. Breaking changes: None Deprecations: None Technology Preview features: None Enhancements: None Bug fixes: XPath library vulnerability is fixed: Previously, the...

Important: Red Hat Security Advisory: Red Hat OpenShift distributed tracing platform (Tempo) 3.9.2 release

Red Hat OpenShift distributed tracing platform Tempo 3.9.2 has been released This release of the Red Hat OpenShift distributed tracing platform Tempo provides security improvements and bug fixes. Breaking changes: None. Deprecations: None. Technology Preview features: None. Enhancements: None. Bu...

CLEANSTART-2026-WA84208 Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery

Multiple security vulnerabilities affect the tempo package. Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery. See references for individual vulnerability details...

CVE-2026-35000

ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc and similar file-access primitives. Attackers can exploit th...

EUVD-2026-18005

ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc and similar file-access primitives. Attackers can exploit th...

CVE-2026-35000

ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc and similar file-access primitives. Attackers can exploit th...