Astra Linux - уязвимость в gst-plugins-base1.0

GStreamer before version 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags...

Astra Linux - уязвимость в 389-ds-base

A flaw was discovered in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then any password will successfully match during authentication, instead of being inactive. This flaw allows an attacker to successfully authenticate as a user whose password h...

PT-2026-42138

Name of the Vulnerable Software and Affected Versions 389-ds-base affected versions not specified Description A flaw exists in the LDAP server where the get ldapmessage controls ext function fails to enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated...

ROS-20260520-73-0009

A vulnerability in the Base component of Google Chrome and Microsoft Edge browsers is related to the ability to use memory after it has been freed. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service using a specially crafted HTML page...

PT-2026-42219

NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or...

HCL BigFix Service Management 安全漏洞

HCL BigFix Service Management is an IT service management and asset management platform developed by the Indian company HCL. HCL BigFix Service Management has a security vulnerability, which stems from configuration issues. Using outdated or insecure base images may introduce known vulnerabilitie...

PT-2026-42144

HCL BigFix Service Management SM is susceptible to a Configuration – 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment...

Server-side Request Forgery (SSRF)

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in SearXNG search proxy via unvalidated baseUrl. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive th...

NPM: SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl

NPM: SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl vulnerability discovered by ? in WordPress Npm sillytavern versions = 1.17.0...

SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl

Resolution SillyTavern 1.18.0 added a generic server-side request filter Private Request Whitelisting. Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is...

Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path

Summary pymdownx.snippets has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With restrictbasepath: True the default, the current filename.startswithbase containment check does not enforce a directory boundary. As a result, a markdown snippet directive can read files from sibling...

GHSA-62Q4-447F-WV8H Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path

Summary pymdownx.snippets has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With restrictbasepath: True the default, the current filename.startswithbase containment check does not enforce a directory boundary. As a result, a markdown snippet directive can read files from sibling...

Malicious code in soundsource (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add The package's source distribution contains Token.txt at the tarball root holding a live PyPI API token prefix pypi-AgEIcHlwaS5vcmc.... Anyone who...

MAL-2026-4769 Malicious code in soundsource (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add The package's source distribution contains Token.txt at the tarball root holding a live PyPI API token prefix pypi-AgEIcHlwaS5vcmc.... Anyone who...

Important: Red Hat Security Advisory: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update

An update for multiple packages is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

EUVD-2026-30966

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object rather than a String to Faraday::Connectionbuildexclusiveurl. This...

Important: Red Hat Security Advisory: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update

An update for multiple packages is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Security update for postgresql15

This update for postgresql15 fixes the following issues Update to version 15.18. Security issues: CVE-2026-6472: ensure the user has CREATE privilege on the schema specified bsc1265172. CVE-2026-6473: integer overflows in memory-allocation calculations bsc1265173. CVE-2026-6474: Guard against...

CVE-2026-45402

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the...

CVE-2026-45671

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...