Amazon Linux 2023 : python3.12, python3.12-devel, python3.12-idle (ALAS2023-2026-1619)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1619 advisory. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control...

Amazon Linux 2023 : tigervnc, tigervnc-icons, tigervnc-license (ALAS2023-2026-1626)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1626 advisory. XKB Integer Underflow in XkbSetCompatMap CVE-2026-33999 XKB Out-of-bounds Read in CheckSetGeom CVE-2026-34000 XSYNC Use-after-free in miSyncTriggerFence CVE-2026-34001 XKB Out-of-bounds read i...

Amazon Linux 2 : openssl, --advisory ALAS2-2026-3274 (ALAS-2026-3274)

The version of openssl installed on the remote host is prior to 1.0.2k-24. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3274 advisory. NULL Pointer Dereference When Processing a Delta CRL NOTE: https://openssl-library.org/news/secadv/20260407.txt...

Important: tigervnc

Issue Overview: XKB Integer Underflow in XkbSetCompatMap CVE-2026-33999 XSYNC Use-after-free in miSyncTriggerFence CVE-2026-34001 XKB Out-of-bounds read in CheckModifierMap CVE-2026-34002 XKB Buffer overflow in CheckKeyTypes CVE-2026-34003 Affected Packages: tigervnc Note: This advisory is...

Medium: python3.13-tornado

Issue Overview: In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters. CVE-2026-35536 Affected Packages: python3.13-tornado Issue Correction: Run dnf update...

Low: python-pip

Issue Overview: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical...

Low: python-pip

Issue Overview: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical...

Amazon Linux 2023 : composer (ALAS2023-2026-1625)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1625 advisory. Command injection via malicious Perforce repository definition CVE-2026-40176 Command injection via malicious Perforce source reference/url CVE-2026-40261 Tenable has extracted the preceding...

Amazon Linux 2023 : cups, cups-client, cups-devel (ALAS2023-2026-1635)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1635 advisory. OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in...

Amazon Linux 2 : dovecot, --advisory ALAS2-2026-3252 (ALAS-2026-3252)

The version of dovecot installed on the remote host is prior to 2.2.36-6. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3252 advisory. Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can us...

Amazon Linux 2 : webkitgtk4, --advisory ALAS2-2026-3270 (ALAS-2026-3270)

The version of webkitgtk4 installed on the remote host is prior to 2.52.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3270 advisory. A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari...

Amazon Linux 2 : tigervnc, --advisory ALAS2-2026-3273 (ALAS-2026-3273)

The version of tigervnc installed on the remote host is prior to 1.8.0-24. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3273 advisory. XKB Integer Underflow in XkbSetCompatMap CVE-2026-33999 XSYNC Use-after-free in miSyncTriggerFence CVE-2026-34001 XKB...

Amazon Linux 2023 : ImageMagick, ImageMagick-c++, ImageMagick-c++-devel (ALAS2023-2026-1611)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1611 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when Magick parses an XML file it is possible that a...

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1593)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1593 advisory. SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time in the Go toolchain cmd/go due to trust layer bypass...

Amazon Linux 2 : docker, --advisory ALAS2DOCKER-2026-111 (ALASDOCKER-2026-111)

The version of docker installed on the remote host is prior to 25.0.14-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2026-111 advisory. Arithmetic over induction variables in loops were not correctly checked for underflow or overflow in the Go compiler...

Amazon Linux 2023 : ImageMagick, ImageMagick-c++, ImageMagick-c++-devel (ALAS2023-2026-1640)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1640 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could...

Amazon Linux 2 : cups, --advisory ALAS2-2026-3279 (ALAS-2026-3279)

The version of cups installed on the remote host is prior to 1.6.3-51. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3279 advisory. OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and...

Amazon Linux 2 : flatpak, --advisory ALAS2-2026-3261 (ALAS-2026-3261)

The version of flatpak installed on the remote host is prior to 1.0.9-10. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3261 advisory. A complete sandbox escape vulnerability exists in Flatpak before 1.16.4. The Flatpak portal accepts paths in the sandbox-expose...

Amazon Linux 2023 : maven3.9, maven3.9-amazon-corretto8, maven3.9-amazon-corretto11 (ALAS2023-2026-1602)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1602 advisory. Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus- utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute...

Amazon Linux 2 : gimp, --advisory ALAS2GIMP-2026-014 (ALASGIMP-2026-014)

The version of gimp installed on the remote host is prior to 2.8.22-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2GIMP-2026-014 advisory. GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to...