EUVD-2026-5038

Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages...

Semantics-Preserving Evasion of LLM Vulnerability Detectors

LLM-based vulnerability detectors are increasingly deployed in security-critical code review, yet their resilience to evasion under behavior-preserving edits remains poorly understood. We evaluate detection-time integrity under a semantics-preserving threat model by instantiating diverse...

Hiksemi NAS security vulnerabilities

HIKSEMI NAS is a private cloud storage device of China’s HIKSEMI Corporation. There is a security vulnerability in HIKSEMI NAS, which stems from insufficient validation of interface input parameters. This vulnerability may cause unauthorized users to trigger abnormal behaviors on the device...

MAL-2026-603 Malicious code in mcp-pdftool-plus (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2e92dea8be02288f271dacad2cd77f1bdd54596da1691cb738c4a7b7b4f77d21 When using the library, the hidden code starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign...

CVE-2026-24856 iccDEV has UB runtime error in <icTagTypeSignature>

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile X...

libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins)

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the...

MAL-2026-593 Malicious code in pypi-package-explore (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 54257ec88b5f7a5bd69177f84a4c396ab208e727ba1c7b079056f1fab2705c37 Package presents an extremely deep obfuscation of a code that is imported during installation. The exact behavior is unknown, but it includes loading encrypted...

Cap'n Proto has Undefined Behavior in constant::Reader and StructSchema

The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::getrootunchecked, which can cause undefined behavior UB by constructing arbitrary words or schemas. Reader::get rust pub fn get&self - Result::Reader // ... // UNSAFE: access words without validation...

GHSA-5W5R-MF82-595P Cap'n Proto has Undefined Behavior in constant::Reader and StructSchema

The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::getrootunchecked, which can cause undefined behavior UB by constructing arbitrary words or schemas. Reader::get rust pub fn get&self - Result::Reader // ... // UNSAFE: access words without validation...

Security Bulletin: User Entity Behavior Analytics App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that could be identified and exploited with automated tools. User Entity Behavior Analytics App for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-12758 DESCRIPTION: Versions of t...

Wasmtime segfault or unused out-of-sandbox load with f64.copysign operator on x86-64

On x86-64 platforms with AVX Wasmtime's compilation of the f64.copysign WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005191)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005191 advisory. In the Linux kernel, the following vulnerability has been resolved: netsched: schsfq: don't allow 1 packet limit The current implementation does not work correctly...

Duplicate Advisory: gix-date can create non-utf8 string with `TimeBuf::as_str`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6mw6-mj76-grwc. This link is maintained to preserve external references. Original Description A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid...

GHSA-8RGQ-M2PM-JVMG Duplicate Advisory: gix-date can create non-utf8 string with `TimeBuf::as_str`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6mw6-mj76-grwc. This link is maintained to preserve external references. Original Description A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid...

CVE-2026-0810

A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed...

CVE-2026-0810

A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed...

UBUNTU-CVE-2026-0810

A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed...

CVE-2026-0810 Gix-date: gix-date: undefined behavior due to invalid string generation

A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed...

CVE-2026-0810 Gix-date: gix-date: undefined behavior due to invalid string generation

A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed...

EUVD-2026-4669

A flaw was found in gix-date. The gixdate::parse::TimeBuf::asstr function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed...