USN-8148-1: Linux kernel vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Netfilter; - Network traffic control; CVE-2026-23060, CVE-2026-23074, CVE-2026-23111...

USN-8148-1 linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Netfilter; - Network traffic control; CVE-2026-23060, CVE-2026-23074, CVE-2026-23111...

CVE-2026-34526 SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\d+.\d+.\d+.\d+$/. This...

CVE-2026-34526 SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^\d+.\d+.\d+.\d+$/. This...

CVE-2026-34526

Summary of CVE-2026-34526 (SillyTavern) : An incomplete IP validation in the /api/search/visit flow enables SSRF against internal hosts in versions prior to 1.17.0. The root cause is a hostname check in src/endpoints/search.js that uses the regex /^?\d+.\d+.\d+.\d+$/ to match only literal dotted-...

CVE-2026-34522 SillyTavern: Path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in /api/chats/import allows an authenticated attacker to...

CVE-2026-34522

SillyTavern has a path traversal vulnerability in /api/chats/import (pre-1.17.0). Unsanitized character_name is used to build the destination path with path.join, enabling write of attacker-controlled files outside the chats directory. Fix: upgrade to version 1.17.0 (patch already released).

CVE-2026-5175

Improper access control in the multi-factor authentication MFA management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from...

DEBIAN-CVE-2026-34876

An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtlsccmfinish in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation of the multipart CCM API with an oversized taglen parameter. This is caused by missing validation of t...

CVE-2026-34876

An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtlsccmfinish in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation of the multipart CCM API with an oversized taglen parameter. This is caused by missing validation of t...

Exploit for CVE-2026-28767

CERT/CC VU653116 | CISA Advisory ICSA-26-055-03https:/...

Important: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.11 Images Update

New images are available for Red Hat build of Keycloak 26.4.11 and Red Hat build of Keycloak 26.4.11 Operator, running on OpenShift Container Platform Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Ha...

keycloak: Keycloak: Information Disclosure via improper role enforcement in UMA 2.0 Protection API

A flaw was found in Keycloak. The User-Managed Access UMA 2.0 Protection API endpoint for permission tickets fails to enforce the umaprotection role check. This allows any authenticated user with a token issued for a resource server client, even without the umaprotection role, to enumerate all...

Malicious code in vv-ftend-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52e6dc460495b044b5104f5b43ce39cacbc3bddfd089ca9f48ba821fb9d9b77c The package vv-ftend-api was found to contain malicious code. Source: ghsa-malware 516291f1a77610b9273279b0bfc4b6502c42024be5ce84308ad96ab226fa216d A...

MAL-2026-2428 Malicious code in vv-ftend-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52e6dc460495b044b5104f5b43ce39cacbc3bddfd089ca9f48ba821fb9d9b77c The package vv-ftend-api was found to contain malicious code. Source: ghsa-malware 516291f1a77610b9273279b0bfc4b6502c42024be5ce84308ad96ab226fa216d A...

Malicious code in bytefrontier-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 454ed598382f4741fd508b6e967cfbf60629e200716dd52a83502bc7d9bdd487 The package bytefrontier-api was found to contain malicious code. Source: ghsa-malware fe062cefc7bc337f97aa697a47d972ab881c8000714a3d5161ebb68c811b37...

MAL-2026-2422 Malicious code in bytefrontier-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 454ed598382f4741fd508b6e967cfbf60629e200716dd52a83502bc7d9bdd487 The package bytefrontier-api was found to contain malicious code. Source: ghsa-malware fe062cefc7bc337f97aa697a47d972ab881c8000714a3d5161ebb68c811b37...

Malicious code in partner-tracker-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector abcff950068cf454cf07ead8614f95dd6291f4204f72ada102c7b4c3d72c0cd1 The package partner-tracker-api was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2427 Malicious code in partner-tracker-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector abcff950068cf454cf07ead8614f95dd6291f4204f72ada102c7b4c3d72c0cd1 The package partner-tracker-api was found to contain malicious code. Source: ghsa-malware...

openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables

A flaw was found in the OpenSSH GSSAPI Generic Security Service Application Program Interface delta patches, as included in various Linux distributions. A remote attacker could exploit this by sending an unexpected GSSAPI message type during the key exchange process. This occurs because the...