Ubuntu 24.04 LTS / 25.10 : XDG Desktop Portal vulnerability (USN-8287-1)

The remote Ubuntu 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8287-1 advisory. It was discovered that XDG Desktop Portal incorrectly handled trashing files. A local attacker could possibly use this issue to delete arbitrary files on...

Linux Distros Unpatched Vulnerability : CVE-2026-47373

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing cou...

Unity Linux 20.1050e / 20.1070e Security Update: perl-Mojolicious (UTSA-2026-016607)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016607 advisory. The Mojolicious module before 8.65 for Perl is vulnerable to securecompare timing attacks that allow an attacker to guess the length of a secret string. Only version...

CVE-2026-5091

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password...

Division by zero

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

CVE-2026-5091 Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password...

CVE-2026-5091

CVE-2026-5091 affects Catalyst::Plugin::Authentication up to version 0.10024 for Perl. The issue is a timing-attack vulnerability arising from using Perl’s built-in eq comparison, enabling an attacker with local access to distinguish timing differences and potentially infer the underlying hash or...

CVE-2026-5091

Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password...

GHSA-VJ64-RJF3-W3V7 Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss

Impact - Key: challenger/src/multifieldchallenger.rs | MultiField32Challenger::duplexing | transcriptmalleability - Affected files: challenger/src/multifieldchallenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed fiel...

Malicious code in chai-as-tuned (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7e00f81e117716cfd7fd3565cf8b04073cd494a6da2c23749669133806a7473 Package name chai-as-tuned impersonates chai-as-promised and ships a README copy-pasted from the unrelated pino project npm/CI badges point at...

CVE-2026-48236

Open ISES Tickets before 3.44.2 contains a SQL injection in db_loader.php where multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and used in dynamic SQL against an attacker‑controlled database without sanitization. A...

CVE-2026-48229

Open ISES Tickets before 3.44.2 contains a reflected XSS in routes_i.php that lets authenticated users inject JavaScript by passing an unsanitized value through the ticket_id GET parameter into HTML form hidden input value attributes. Payload executes when the response is rendered. Affected compo...

CVE-2026-48216 Open ISES Tickets < 3.44.2 Reflected XSS via db_loader.php Multiple POST Parameters

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in dbloader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters ticketshost, ticketsdb, ticketsuser, ticketspassword,...

RLSA-2026:3840 Important: image-builder security update

A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-61729 golang: net/url: Memory exhaustion in query...

CVE-2026-44060

A flaw was found in Netatalk. A remote attacker could exploit an integer underflow vulnerability in the dsiwriteinit function by sending a specially crafted request. This could lead to a denial of service DoS, making the service unavailable to legitimate users...

CVE-2026-44061

A flaw was found in Netatalk. This vulnerability involves the DES-ECB Data Encryption Standard - Electronic Codebook authentication mechanism, which is susceptible to a timing side channel attack. A remote attacker could potentially exploit this timing difference during authentication to gain...

CVE-2026-44049

A flaw was found in Netatalk. A remote attacker could exploit an out-of-bounds write vulnerability within the convertcharset function. This issue, caused by improper null termination, allows an attacker to write data beyond the allocated memory buffer. Successful exploitation could lead to...

SUSE CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

CVE-2026-44071

A flaw was found in Netatalk. This issue arises because the software is compiled without FORTIFYSOURCE, a security feature that provides built-in buffer overflow detection at runtime. A remote attacker could exploit this by triggering memory errors that would otherwise be safely handled, leading ...

Malicious code in tensor-compute (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a3d1b50077a6311a43061891fa560d2c180fbdbd12ab4965e0d265910e6ef68 [email protected] presents itself as a Rust-backed tensor library but is a dropper. setup.py registers a custom buildext command src/buildext.py...