Incorrect Behavior Order

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order in the Delegate process when the User parameter is unset and the unit is running. An attacker can cause a system service to terminate unexpectedly by creating or manipulating a unit with these settings. This is...

Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment

Helm is a package manager for Charts for Kubernetes. In Helm versions /, instead of the expected //, potentially overwriting the contents of the targeted directory. Note: a chart name containing POSIX dot-dot, or dot-dot and slashes as if to refer to parent directories do not resolve beyond the...

Rand is unsound with a custom logger using `rand::rng()`

It has been reported by @lopopolo that the rand library is unsound i.e. that safe code using the public API can cause Undefined Behaviour when all the following conditions are met: - The log and threadrng features are enabled - A custom logger is defined - The custom logger accesses rand::rng...

HSEC-2026-0006 Cabal deletes project source files during configure

Cabal deletes project source files during configure The checkDuplicateHeaders function in Distribution.Simple.Configure removes header files from the source directory when a header with the same name exists in both the build directory and the source directory. This behavior was introduced in comm...

CVE-2026-27144

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime...

GHSA-XPCF-PG52-R92G Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Summary ipRestriction does not canonicalize IPv4-mapped IPv6 client addresses e.g. ::ffff:127.0.0.1 before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. Details The middlewar...

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which stems from the lack of operation interface conversion, allowing the compiler to incorrectly...

CVE-2026-33815

A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria...

firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Undefined behavior in the WebRTC: Signaling component...

firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Undefined behavior in the WebRTC: Signaling component...

TOPSEC Internet Behavior Management System 操作系统命令注入漏洞

The TOPSEC Internet Behavior Management System is an online behavior auditing system developed by TOPSEC Corporation. The TOPSEC Internet Behavior Management System has a vulnerability related to operating system command injection. This vulnerability stems from command injection at the endpoints ...

PT-2026-31060

Name of the Vulnerable Software and Affected Versions affected versions not specified Description The compiler failed to correctly determine non-overlapping memory moves due to a no-op interface conversion, potentially leading to memory corruption during runtime. This issue involves unwrapping...

Why AI Bot Protection and Control Are Essential for Application Security

AI-driven automation is no longer emerging. It is already integrated and accepted as internet traffic. From AI assistants and crawlers to enterprise automation tools, websites are now routinely accessed by non-human actors operating at scale. Vulnerabilities or weaknesses in your application...

Incorrect Behavior Order: Validate Before Canonicalize

Overview vite-plus is a The Unified Toolchain for the Web Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the server.fs.deny component. An attacker can access sensitive files by appending specific query parameters such as ?raw,...

CVE-2026-34379 OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoderexecute in...

CVE-2026-34379 OpenEXR has a misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoderexecute in...

CVE-2026-34379

CVE-2026-34379 affects OpenEXR across 3.2.x, 3.3.x, and 3.4.x: a misaligned memory write in LossyDctDecoder_execute() for FLOAT channels during in-place HALF→FLOAT conversion. The decoder casts an unaligned uint8_t* row pointer to float* and writes, causing undefined behavior and potential crash ...

CVE-2026-33752 Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)

curlcffi is the a Python binding for curl. Prior to 0.15.0, curlcffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata...

PT-2026-30575

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw in its netfilter component related to conntrack and missing netlink policy validations. Specifically, the nlattr to sctp function improperly handles...

SUSE CVE-2026-34872

An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-Hellman, the other party can force the shared secret into a small set of values lack of contributor...