EUVD-2026-38593

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating th...

CVE-2026-54513

CVE-2026-54513 affects jackson-databind. A vulnerability in BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allows bypass of per-element allowlists when deserializing arrays, if the array element type is not explicitly allowlisted, potentially enabling dangerous types like EvilType[...

CVE-2026-47375

CVE-2026-47375 (NocoDB) : A Postgres-backed deployment is vulnerable to authenticated SQL injection through the ARRAYSORT formula when a user with columnAdd permission supplies a malicious second argument. The issue arises because the attacker-controlled value is embedded into a knex.raw ORDER BY...

CVE-2026-45692

CVE-2026-45692 (Caddy) describes a remote admin authorization bypass where the /config traversal layer and the authorization layer disagree on the target object. Specifically, from 2.4.0 through 2.11.3, an authorized path such as /config/apps/http/servers/srv/routes/0 could be used to access or m...

CVE-2026-48514

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining...

EUVD-2026-38382

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining...

CVE-2026-49358

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: dm-raid456, md/raid456: A deadlock has been fixed in dm-raid456 when I/O operations are concurrent with the reshape process. For raid456, if the reshape process is still in progress, then I/O operations across the reshape...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: Net: qlogic/qede: fixed a potential out-of-bounds read in qedetpacont and qedetpaend. The loops in ‘qedetpacont’ and ‘qedetpaend’ iterate over ‘cqe-lenlist’, using only a zero-length terminator as the stopping condition. If the...

Astra Linux – Vulnerability in cjson

In versions of cJSON 1.5.0 through 1.7.18, the decodearrayindexfrompointer function in cJSONUtils.c allows for out-of-bounds access. This enables remote attackers to bypass array bounds checking and access restricted data through malformed JSON pointer strings containing alphanumeric characters...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: bcache: Fixed the abuse of variable-length arrays in btreeiter. btreeiter is used in two ways: either allocated on the stack with a fixed size MAXBSETS, or from a mempool with a dynamic size based on the specific cache set...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: dm ioctl: prevents potential Spectre v1 exploits. It seems that cmd could be a Spectre v1 exploit, as it is provided by a user and used as an array index. This vulnerability prevents the contents of kernel memory from being leake...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: rx-macro: fixed an issue where accessing an array was done outside the bounds of the array for an enum type. Accessing enums using integers would result in accessing an array outside its bounds on platforms like...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: iio: adc: mp2629: fixed potential array out-of-bound access issues. A sentinel was added at the end of the maps to prevent potential array out-of-bound access in the iio core...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: phy: marvell: a3700-comphy: Fix out-of-bounds read issue There is an out-of-bounds read access to gbePhyInitfixfixidx.addr during each iteration after fixidx reaches ARRAYSIZEgbePhyInitfix. Ensure that gbePhyInitaddr is used when...

EUVD-2026-37977

In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers...

CVE-2026-56132

In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers...

CVE-2026-56132

In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers...

Siemens RUGGEDCOM RST2428P Improper Input Validation (CVE-2025-40252)

In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qedetpacont and qedetpaend The loops in 'qedetpacont' and 'qedetpaend', iterate over 'cqe-lenlist' using only a zero- length terminator as the stopping condition. If the...

CVE-2026-10641 Out-of-bounds write in Bluetooth HFP Hands-Free CIND indicator parsing (cind_handle_values)

Zephyr's Bluetooth Classic Hands-Free Profile HFP Hands-Free role parser subsys/bluetooth/host/classic/hfphf.c contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cindhandle, which assigns a per-entry counter index a...