37 matches found
CVE-2026-44251
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.0.0 and above, prior to 4.14.5, a sizet integer underflow in oscrypto/shared/msgs.c:389 allows any enrolled Wazuh agent to crash the wazuh-remoted process on the manager, immediately...
CVE-2026-46377 Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the escape sequence handler in Tokenizer.parseCurRune in selector/lexer/tokenize.go increments past a trailing backslash in a quoted string such as "\ or '\ and then reads...
UBUNTU-CVE-2026-59869
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in...
CVE-2026-48500
Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, so...
EUVD-2026-38025
Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...
org.glassfish.main.admingui:admingui (>=6.0.0 <=9.0.0-M1), org.glassfish.main.admingui:console-cluster-plugin (>=6.0.0 <=9.0.0-M1) +19 more potentially affected by CVE-2026-2586 via org.glassfish.jsftemplating:jsftemplating (>=3.0.0 <=4.1.0)
org.glassfish.jsftemplating:jsftemplating MAVEN version =3.0.0, =6.0.0, =6.0.0, =7.0.16, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =9.0.0-M1 and more Source cves: CVE-2026-2586 Source advisory: OSV:GHSA-96V6-HQ43-X9H4https://vulners.c...
CVE-2026-44308
CVE-2026-44308 concerns Spring Cloud AWS, where the SNS HTTP/HTTPS endpoint support methods (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) failed to verify incoming SNS message signatures from versions 3.0.0 through 4.0.1. An unauthent...
@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-44001 via vm2 (>=3.0.0 <=3.10.5)
vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-44001 Source advisory: SNYK:JS-VM2-16438945...
org.apache.camel.kafkaconnector:camel-sjms2-kafka-connector (>=0.1.0 <=4.14.5), org.apache.camel.kafkaconnector:itests-sjms2 (>=0.3.0 <=4.14.5) +10 more potentially affected by CVE-2026-40860 via org.apache.camel:camel-sjms2 (>=3.0.0-M1 <=4.14.6)
org.apache.camel:camel-sjms2 MAVEN version =3.0.0-M1, =0.1.0, =0.3.0, =0.1.0, =4.10.3, =1.0.0, =1.0.0-M1, =2.2.0, =2.2.0, =1.0.0, =1.0.0, =3.0.0, =3.0.0-M1, =3.0.0-RC3 Source cves: CVE-2026-40860 Source advisory: SNYK:JAVA-ORGAPACHECAMEL-16321538...
CVE-2026-40860 Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
JmsBinding.extractBodyFromJms in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +39 more potentially affected by CVE-2025-54550 via apache-airflow-core (>=3.0.0 <=3.2.0b1)
apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2025-54550 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-16094668...
CVE-2026-5189
CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitatio...
CVE-2026-33929 Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or...
DEBIAN-CVE-2026-34835
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...
@01.software/cli (>=0.1.1 <=0.2.0-dev.260310.cf511cb), @01.software/sdk (>=0.0.1-251008.90016 <=0.3.0) +33 more potentially affected by CVE-2026-34749 via payload (>=3.0.0-alpha.46 <=3.79.0)
payload NPM version =3.0.0-alpha.46, =0.1.1, =0.0.1-251008.90016, =0.0.6, =0.0.3, =1.0.1-beta.0, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =3.64.0, =0.0.1-beta.0, =0.2.0, =0.2.14 and more Source cves: CVE-2026-34749 Source advisory: SNYK:JS-PAYLOAD-15873856...
@adenta/cms (>=0.0.6 <=1.1.1-0), @ainsleydev/payload-helper (>=0.0.6 <=0.3.2) +24 more potentially affected by CVE-2026-34747 via @payloadcms/drizzle (>=3.0.0-beta.100 <=3.79.0)
@payloadcms/drizzle NPM version =3.0.0-beta.100, =0.0.6, =0.0.6, =3.22.1, =3.37.0, =1.0.0, =3.53.0, =3.61.1-2, =3.50.0-internal.ca62628, =3.0.0, =3.0.0, =3.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2026-34747 Source advisory: SNYK:JS-PAYLOADCMSDRIZZLE-15873854...
BIT-AIRFLOW-2026-26929 Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dagid set to "" wildcard for all DAGs. As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users ar...
@3t-transform/threeteeui (>=1.5.1 <=1.10.0), @8btc/excalidraw (>=0.18.0-beta.0 <=0.18.0-beta.4) +1240 more potentially affected by CVE-2025-15599 via dompurify (>=3.0.0 <=3.2.6)
dompurify NPM version =3.0.0, =1.5.1, =0.18.0-beta.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.0.0, =4.4.0-rc1, =6.4.10, =5.1.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.2, =1.0.9 and more Source cves: CVE-2025-15599 Source advisory: SNYK:JS-DOMPURIFY-15371386...
apache-airflow (>=3.0.0 <=3.0.4rc2), apache-airflow-providers-common-sql (>=1.25.0 <=1.25.0rc1) +3 more potentially affected by CVE-2025-54941 via apache-airflow-core (>=3.0.0 <=3.0.4rc2)
apache-airflow-core PYPI version =3.0.0, =3.0.0, =1.25.0, =1.0.0, =1.16.0, =1.0.6, =1.0.9 Source cves: CVE-2025-54941 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-13786421...
@anjy7/navbar-cms (=0.0.5), @contentql/core (>=0.1.2 <=0.3.5) +14 more potentially affected by CVE-2025-4643 via @payloadcms/next (>=3.0.0-alpha.46 <=3.44.0-internal.6b79dc2)
@payloadcms/next NPM version =3.0.0-alpha.46, =0.1.2, =0.1.0, =3.2.0, =0.2.0, =0.1.0, =0.1.4, =1.0.0, =0.0.5, =0.0.1, =0.0.9-alpha.52, =0.0.5, =3.0.0-beta.3, =0.0.3, =1.0.0 and more Source cves: CVE-2025-4643 Source advisory: OSV:GHSA-5V66-M237-HWF7...