RUSTSEC-2026-0123 Out-of-bounds read in `bytes_helper` public safe functions

The byteshelper module contains multiple public functions intoarr4, intoarr2, u8fromlebytes that use slice.getuncheckedpos..pos + N without verifying that pos + N = slice.len. These are public safe API functions, allowing any caller to trigger undefined behavior by passing invalid positions. For...

Invalid pointer arithmetic in `iter()` and `iter_mut()`

The iter and itermut APIs compute current = &children0 as const const RawAutoChild.sub1, which performs pointer subtraction going before the start of the allocation. This is undefined behavior per Rust's pointer arithmetic rules. This can be triggered through safe public APIs — iter and itermut —...

RUSTSEC-2026-0133 Invalid pointer arithmetic in `iter()` and `iter_mut()`

The iter and itermut APIs compute current = &children0 as const const RawAutoChild.sub1, which performs pointer subtraction going before the start of the allocation. This is undefined behavior per Rust's pointer arithmetic rules. This can be triggered through safe public APIs — iter and itermut —...

MAL-2026-3234 Malicious code in apexpro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80f8783908329ceda250d21f3d9d39a117f80f8ca55c400c72065449d2a0bc1c The package apexpro was found to contain malicious code. Source: ghsa-malware fb2932c368cbb684114a08865c171d8af11aa8af3738e7d156f5692beccd48d5 Any...

CVE-2026-35233

An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range shlink field. When root-level dtrace attaches to -- or instruments -- that process via dtrace -p , pid probes, or USDT, the ELF parser reads heap memory beyond the allocated section cach...

CVE-2026-43030

A flaw was found in the Linux kernel's Berkeley Packet Filter BPF subsystem. A logic error in the regsafe function, specifically when handling pointers to packets, could lead to an incorrect state where valid packet ranges are not properly explored. This vulnerability may allow an attacker to...

CVE-2026-43048

In the Linux kernel, the following vulnerability has been resolved: HID: core: Mitigate potential OOB by removing bogus memset The memset in hidreportrawevent has the good intention of clearing out bogus data by zeroing the area from the end of the incoming data string to the assumed end of the...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from an unchecked index mapping error in the ALSA ctxfi driver, which could lead to undefined behavior...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from the failure to deny immediate NFQUEUE verdicts in netfilter nftables, which could lead to undefined behavior...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from a failure to ensure that names end with a null character in netfilter xtables, which could lead to undefined...

PT-2026-36370

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the iommupt component where the unmap process may unmap more than requested if the ending point falls within a large or contiguous Input/Output Page Table Entry IOPTE...

Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix

A flaw was found in Apache Tomcat. This improper input validation vulnerability stems from an incomplete fix for a previous security issue CVE-2025-66614. This flaw may allow an attacker to bypass security controls or cause unexpected behavior within the application...

Malicious code in apple-internal-security-audit-v99 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85c1a320034eadbc47dbe12b147164f4b003babca198b527d6b725a9f891f188 The package apple-internal-security-audit-v99 was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3305 Malicious code in apple-internal-security-audit-v99 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85c1a320034eadbc47dbe12b147164f4b003babca198b527d6b725a9f891f188 The package apple-internal-security-audit-v99 was found to contain malicious code. Source: ghsa-malware...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the improper initialization of certain local variables during replay requests, potentially leading to...

CVE-2026-26015 Unauthenticated RCE in DocsGPT MCP STDIO Configuration

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution RCE...

MAL-2026-3186 Malicious code in ac-sasskit-beta (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f511f3bd2772e3721f69519323ae4557eb447a809eef469c46a1c500fe96c1c0 The package ac-sasskit-beta was found to contain malicious code. Source: ghsa-malware 1873c549998c97b796fea0e8381c73ed62d3517f9eac35919b3225ad2a2f454...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: ImageMagick (UTSA-2026-015470)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-015470 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, there is undefined behavior...

Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters

Summary Fiber cache middleware's default key generator uses only c.Path and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response. This can cause response mix-up cache poisoning-like behavior for endpoints...

MAL-2026-3140 Malicious code in fivem-monitor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46a604a0acf84f672e7a3235e103f365f9d9f704c96faa12dcb5b9b0a9806004 The package fivem-monitor was found to contain malicious code. Source: ghsa-malware bea91e9a2c853e88f029684fb53cecc15f1960b1ccafb583b1da52a754f9ee4d...