WSO2多款产品 安全漏洞

WSO2 Identity Server IS is a product of the American company WSO2. WSO2 Identity Server is an identity authentication server. WSO2 Identity Server as a Key Manager serves as an identity server. WSO2 Open Banking IAM is an identity and access management solution for the open banking sector. Severa...

SUSE SLED15 / SLES15 Security Update : jetty-minimal (SUSE-SU-2026:1751-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1751-1 advisory. - CVE-2026-2332: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extension...

CLSA-2026-1778297730 exim: Fix of 2 CVEs

CVE-2026-40685: dewrap OOB read/write on trailing backslash in JSON header - CVE-2026-40687: SPA authenticator OOB read/write and base64 decode infoleak - Refresh Exim-Maintainers-Keyring.asc to verify the 4.99.x release tarball signature...

Incorrect Authorization

Overview web-auth/webauthn-framework is a FIDO-U2F / FIDO2 / Webauthn Framework. Affected versions of this package are vulnerable to Incorrect Authorization via the ClientOverridePolicy process. An attacker can bypass user verification requirements by supplying a crafted userVerification paramete...

CLSA-2026-1778173472 exim: Fix of 2 CVEs

CVE-2026-40685: fix heap corruption when expanding malformed JSON - CVE-2026-40687: fix heap buffer overflow and infoleak in SPA authenticator...

SUSE-SU-2026:1751-1 Security update for jetty-minimal

This update for jetty-minimal fixes the following issues: - CVE-2026-2332: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the 'funky chunks' techniques bsc1262115. - CVE-2026-5795: Fixed JaspiAuthenticator broken access control...

GHSA-22W3-693W-X895 webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed

Summary webauthn-rs-core Relying Partyrp and webauthn-authenticator-rs client checked that an Origin in CollectedClientDataorigin is valid for an RP IDrpid with str::endswithends-with, without checking for a dot . before the RP ID when allowing subdomainsregisterable-suffix. This check is flawed,...

webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed

Summary webauthn-rs-core Relying Partyrp and webauthn-authenticator-rs client checked that an Origin in CollectedClientDataorigin is valid for an RP IDrpid with str::endswithends-with, without checking for a dot . before the RP ID when allowing subdomainsregisterable-suffix. This check is flawed,...

CLSA-2026-1778024757 exim: Fix of CVE-2026-40687

CVE-2026-40687: fix uninitialized buffer and out-of-bounds writes in SPA authenticator...

CLSA-2026-1778024392 exim: Fix of CVE-2026-40687

CVE-2026-40687: fix uninitialized buffer and out-of-bounds writes in SPA authenticator...

exim: Fix of CVE-2026-40687

CVE-2026-40687: fix uninitialized buffer and out-of-bounds writes in SPA authenticator...

CLSA-2026-1778003565 Fix CVE(s): CVE-2026-40684, CVE-2026-40685, CVE-2026-40687

SECURITY UPDATE: out-of-bounds read in DNS reverse-lookup escape decoding when running against musl libc - debian/patches/CVE-2026-40684.patch: harden stringcopydnsdomain to consume 1, 2, or 3 digits incrementally instead of indexing past the input string when fewer than 3 digits follow a backsla...

Fixed in Apache Tomcat 11.0.22

Moderate: Security constraints not correctly applied CVE-2026-43515 When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. This was fixed with commits 276087d9 and 06597486. This issue was reported to the...

USN-8228-1: Exim vulnerabilities

It was discovered that Exim incorrectly handled parsing malformed JSON in message headers. A remote attacker could possibly use this issue to execute arbitrary code. CVE-2026-40685 It was discovered that Exim incorrectly handled processing of UTF-8 trailing characters. A remote attacker could...

USN-8228-1 exim4 vulnerabilities

It was discovered that Exim incorrectly handled parsing malformed JSON in message headers. A remote attacker could possibly use this issue to execute arbitrary code. CVE-2026-40685 It was discovered that Exim incorrectly handled processing of UTF-8 trailing characters. A remote attacker could...

Amazon Linux 2 : jetty, --advisory ALAS2-2026-3277 (ALAS-2026-3277)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3277 advisory. In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early...

CVE-2025-56534

A cross-site scripting XSS vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

UBUNTU-CVE-2026-40687

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory...

CVE-2026-40687

In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory...

CVE-2025-56534

OpenNebula v6.10.0.1 has a cross-site scripting (XSS) vulnerability in the custom authenticator driver. A crafted payload can cause arbitrary web scripts/HTML to execute in the web interface context. The CVE-2025-56534 records (NVD, CVE List, etc.) document this flaw with a CVSS v3.1 base score o...