VulnCheck KEV: CVE-2026-6664

An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet...

BIT-PGBOUNCER-2026-6666 PgBouncer crash in kill_pool_logins_server_error

A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field...

PT-2026-40291

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL CLIENT admin command. All users with access to the administration console which itself requires authorization could run this command. It would have been correct to allow only users listed in the admin users...

CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

SUSE CVE-2025-68938

Gitea before 1.25.2 mishandles authorization for deletion of releases...

EUVD-2025-206132

In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists...

GHSA-CM54-PFMC-XRWX Gitea mishandles authorization for deletion of releases

Gitea before 1.25.2 mishandles authorization for deletion of releases...

CVE-2025-68938

Gitea before 1.25.2 mishandles authorization for deletion of releases...