1287759 matches found
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps...
The vulnerability of the pg_dump utility in the PostgreSQL database management system allows a hacker to execute arbitrary code.
The vulnerability of the pgdump utility in the PostgreSQL database management system is related to the lack of security measures for SQL query structures. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...
The vulnerability of the software for calculating positions of individual RTLS transponders in the SIMATIC RTLS Locating Manager lies in the lack of a mechanism for verifying input data during backup scenarios. This allows a malicious actor to execute arbitrary code with SYSTEM privileges.
The vulnerability of the software for calculating positions of individual RTLS transponders in the SIMATIC RTLS Locating Manager is related to deficiencies in the mechanism for verifying input data during backup scenario execution. Exploiting this vulnerability could allow an attacker, operating...
The vulnerability of the Directum Web Agent component of the Directum RX system, which arises due to insufficient validation of input data, allows a perpetrator to execute arbitrary code.
The vulnerability of the Directum Web Agent component of the Directum RX system exists due to insufficient validation of input data. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code using a specially crafted file...
The vulnerability of the Directum HR Pro system, which exists due to insufficient verification of input data, allows a perpetrator to disclose protected information.
The vulnerability of the Directum HR Pro system exists due to insufficient verification of input data. Exploiting this vulnerability can allow a malicious actor to disclose protected information by sending a specially crafted POST request...
The vulnerability of the Directum RX ECM system, related to deficiencies in access control, allows a perpetrator to compromise data integrity.
The vulnerability of the Directum RX ECM system is related to deficiencies in access control. Exploiting this vulnerability could allow a remote attacker to compromise data integrity...
Security Bulletin: IBM Operational Decision Manager for June 2026 - Multiple CVEs addressed
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Operational Decision Manager Vulnerability Details CVEID:CVE-2026-9828 DESCRIPTION: Deserialization of untrusted data vulnerability in QOS.CH Sarl logback...
389-ds-base: 389-ds-base: integer overflow in SASL packet length bypasses size limit leading to heap buffer overflow
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server 389-ds-base. In sasliostartpacket, adding sizeofuint32t to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer...
389-ds-base: 389-ds-base: Heap buffer overflow in sasl_io_recv() via padded SASL UNBIND
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server 389-ds-base. After a successful SASL bind with integrity protection SSF 0, an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer...
The Verification Step Is the New ATO Battleground in 2026
For years, account takeover ATO followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood. That era is ending. Not because attackers...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by a Denial of Service vulnerability due to pyasn1
Summary pyasn1 is used by IBM Cloud Pak for Data System 1.0 as a generic ASN.1 encoding and decoding library for Python applications. CVE-2026-30922 affects pyasn1's ASN.1 decoder, where processing of crafted payloads containing deeply nested SEQUENCE or SET tags with indefinite length markers...
GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code
An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a new study of GitHub Copilot by researchers Abhishek Kumar and Carsten Maple. The...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by a Regular Expression Denial of Service vulnerability due to idna
Summary idna is used by IBM Cloud Pak for Data System 1.0 as a Python library for Internationalized Domain Names in Applications IDNA encoding and decoding. CVE-2026-45409 affects idna's encode function, where processing of arbitrarily large domain name inputs exploits the validcontexto function...
Cybersecurity and the Gap Between Skill and Ability
Last week, national security agencies from the Five Eyes--that's the rich, English-language-speaking countries club--jointly released a statement warning of the increasing cyber risks of AI models: in particular, their ability to autonomously hack into systems and networks. The statement was more...
Exploit for CVE-2026-40047
camel-docling CLI Argument Injection / Path Traversal Reproduc...
Security Bulletin: IBM Maximo Application Suite - Monitor Component uses multiple packages which are vulnerable to multiple CVEs.
Summary IBM Maximo Application Suite - Monitor Component uses next-15.5.14.tgz, tomcat-embed-core-10.1.54.jar, systeminformation-5.31.4.tgz, jackson-core-2.19.2.jar, jackson-core-2.19.4.jar, jackson-core-2.20.0.jar, jackson-core-2.21.0.jar which are vulnerable to CVE-2026-44572, CVE-2026-44573,...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by multiple vulnerabilities due to cryptography
Summary cryptography is used by IBM Cloud Pak for Data System 1.0 as a Python package providing cryptographic primitives and recipes for secure communications. Multiple vulnerabilities affect the cryptography package. CVE-2024-12797 involves missing error reporting in RFC7250 Raw Public Key RPK...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by a command injection vulnerability due to Click
Summary Click is used by IBM Cloud Pak for Data System 1.0 as a command-line interface creation library for Python applications. CVE-2026-7246 affects Click's click.edit function, which fails to properly neutralize special elements in input, allowing attackers to inject and execute arbitrary...
Malicious code in @vwfs-its/sf-sac-frontend (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 2e08b57aacea0c5dcc883413eddf7737e7a45fa2c21bd5381d4e80235b3ef182 The OpenSSF Package Analysis project identified '@vwfs-its/sf-sac-frontend' @ 20.1.1 npm as malicious. It is considered malicious because: - The...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by a sensitive information caching vulnerability due to Flask
Summary Flask is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application framework. CVE-2026-27205 affects Flask's session handling, where certain forms of session object access such as the Python in operator fail to set the Vary: Cookie header, resulting in session-specific responses...