PT-2026-37257

Name of the Vulnerable Software and Affected Versions Kimai versions 2.27.0 through 2.53.x Description Users with ROLE USER privileges can create a tag containing a formula string such as =SUM54+51 via the 'POST /api/tags' endpoint and assign it to a timesheet. The ArrayFormatter.formatValue...

PT-2026-37265

Name of the Vulnerable Software and Affected Versions rust-openssl versions 0.9.7 through 0.10.78 Description The X509Ref::ocsp responders function returns OCSP responder URLs from a certificate's AIA extension as OpensslString. The Deref implementation wraps raw bytes using str::from utf8...

Linux Distros Unpatched Vulnerability : CVE-2026-43060

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - netfilter: nftct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone,...

GHSA-QQ3R-W4HJ-GJP6 apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...

GHSA-P6HG-QH38-555R Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service

Summary There is a medium severity information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie,...

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

Security Bulletin:Requests SSL Verification Issue Fixed in 2.32.0

Summary Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value ...

Malicious code in @bank-widgets/whats-new (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83244f927bab36b8e6f6493e932fea1ed017f30aaf286c82a81990f509589934 The package @bank-widgets/whats-new was found to contain malicious code. Source: ossf-package-analysis...

Zero Day Attacks: Novel Behaviour or Novel Vulnerability?

Zero-day attacks pose severe cybersecurity risks due to their high success rates and stealth. Because signature-based approaches struggle to detect such attacks, building Intrusion Detection Systems IDSs for detecting zero-day attacks is essential. We contend that for an IDS to be effective it mu...

Astra Linux – Vulnerability in imagemagick

A flaw was discovered in ImageMagick in versions prior to 7.0.11 and prior to 6.9.12. In these versions, a division by zero in the WaveImage function of MagickCore/visual-effects.c could lead to undefined behavior when a malicious image file was submitted to an application that used ImageMagick...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: net: mdio: fixed an undefined behavior in bit shifting for mdiobusregister. Shifting a signed 32-bit value by 31 bits is undefined; therefore, the significant bit was changed to unsigned. The UBSAN warning appears as follows:...

Astra Linux – Vulnerability in imagemagick

A flaw was discovered in ImageMagick’s MagickCore/segment.c file. An attacker who submits a crafted file processed by ImageMagick could trigger undefined behavior, specifically a division by zero in mathematics. This likely results in a disruption to the application’s functionality, but it may al...

Astra Linux – Vulnerability in imagemagick

A flaw was discovered in ImageMagick within MagickCore/quantum.h. An attacker who submits a crafted file processed by ImageMagick could induce undefined behavior, resulting in values that fall outside the range of types float and unsigned char. This likely leads to a disruption in the application...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: This issue prevents UBSAN errors occurring in truesectorsperclst. The syzbot reported the following UBSAN error: 76.901829 T6677 ================================================================================ 76.903908...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: arm64: kexec: Initialize the kexecbuf struct in loadothersegments The kexecbuf structure was previously declared without initialization. The commit bf454ec31add “kexecfile: Allow to place the kexecbuf randomly” added a field that...

Astra Linux – Vulnerabilities in Linux, Linux-5.15, Linux-5.10

In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid undefined behavior: applying zero offset to null pointer ACPICA commit 770653e3ba67c30a629ca7d12e352d83c2541b1e Before this change we see the following UBSAN stack trace in Fuchsia: 0 0x000021e4213b3302 in...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: net: ena: fix shift-out-of-bounds in exponential backoff The ENA adapters on our instances occasionally reset. Once recently logged a UBSAN failure to console in the process: UBSAN: shift-out-of-bounds in...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: fs: jfs: Fixed UBSAN: array-index-out-of-bounds in dbAllocDmapLev Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfsdmap.c:1965:6 Index -84 is out of range for type ‘s8341’ aka ‘signed char341’...

Astra Linux – Vulnerability in imagemagick

In the functions CatromWeights, MeshInterpolate, InterpolatePixelChannel, InterpolatePixelChannels, and InterpolatePixelInfo, which are all part of /MagickCore/pixel.c, there were multiple unconstrained pixel offset calculations that were used with the floor function. These calculations resulted ...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1

In the Linux kernel, the following vulnerabilities have been resolved: blkiocost: fixed issues with out-of-bound shifts. Recently, running UBSAN detected a few out-of-bound shifts in the iocforgivedebts function: UBSAN: Out-of-bound shift in block/blk-iocost.c:2142:38; Shift exponent 80 is too...