CVE-2026-42508 Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked...

GO-2026-5021 Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked...

Linux Distros Unpatched Vulnerability : CVE-2026-33376

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate...

Malicious code in cryptoco-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68 On require, index.js opens TCP connections to the cloud link-local metadata address 169.254.169.254 across ports 80, 443, 8080, 3000, 5432, and 6379,...

MAL-2026-4230 Malicious code in cryptoco-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68 On require, index.js opens TCP connections to the cloud link-local metadata address 169.254.169.254 across ports 80, 443, 8080, 3000, 5432, and 6379,...

Security Bulletin: Vault Terraform Provider Incorrect Defaults for LDAP Auth Method, Resulting in Insecure Configuration and Potential Authentication Bypass

Summary Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in...

httpd: Fix of 5 CVEs

CVE-2026-28780: modproxyajp 4-byte heap buffer overflow when contacting a malicious AJP backend off-by-AJPHEADERLEN check in ajpmsgcheckheader - CVE-2026-34059: modproxyajp heap over-read in ajpparsedata on short AJP replies - CVE-2026-33006: modauthdigest used non-constant-time strcmp for...

CVE-2026-44073 seteuid failure ignored in auth modules

Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid, which may allow a remote authenticated attacker to retain elevated privileges under error conditions...

EUVD-2026-31220

Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid, which may allow a remote authenticated attacker to retain elevated privileges under error conditions...

PT-2026-42680

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

PT-2026-42622

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

GO-2026-4964 Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution in github.com/rclone/rclone

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution in github.com/rclone/rclone. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this ...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerability has been resolved: nvmet-auth: Assign dhkey to NULL after kfreesensitive. ctrl-dhkey might be used across multiple calls to nvmetsetupdhgroup for the same controller. Therefore, it’s better to set it to NULL after a error-free release, in order to...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: ceph: fixed the issue where mds auth caps were applied to multiple file systems The mds auth caps check should also validate the fsname along with the associated caps. Failure to do so would result in applying mds auth caps fr...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: NFSD: Deferred sub-object cleanup in export put callbacks The svcexportput function calls pathput and authdomainput immediately when the last reference is dropped, before the RCU grace period. RCU readers in eshow and cshow...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: libceph: Defined and enforced the CEPHMAXKEYLEN. When decoding the key, verify that the key material fits into a fixed-size buffer in processauthdone, and that its length is reasonable. The new CEPHMAXKEYLEN check replaces the...

Astra Linux - уязвимость в linux-5.10, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: In libceph, the error from monhandleauthdone is now properly returned. Currently, any error from cephauthhandlereplydone is propagated via finishauth, but it is not returned from monhandleauthdone. This results in higher layers...

Astra Linux - уязвимость в xrdp

XRDPT is an open-source remote desktop protocol RDP server. In versions prior to 0.9.23, improper handling of session establishment errors allowed bypassing OS-level session restrictions. The authstartsession function could return a non-zero value 1 in the event of, for example, PAM errors. This...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerability has been resolved: libceph: Potential out-of-bounds writes have been prevented in the handleauthsessionkey function. The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes...

Astra Linux - уязвимость в firefox, thunderbird

The username:password portion was not properly removed from URLs in CSP reports, which could potentially expose HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1...