8 matches found
PT-2026-31058
Name of the Vulnerable Software and Affected Versions SWIG affected versions not specified Description SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. Recommendations At the moment, there...
Server-Side Request Forgery (SSRF)
Webpack is vulnerable to Server-Side Request Forgery SSRF . The vulnerability is due to missing re-validation of allowedUris after HTTP 30x redirects in the HttpUriPlugin, allowing imports initially constrained to trusted URLs to be redirected to untrusted or internal endpoints, resulting in...
DEBIAN-CVE-2025-68157
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...
Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories...
golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and...
golang: improper validation of cgo flags can lead to code execution at build time
An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via go get or go bui...
golang: improper validation of cgo flags can lead to code execution at build time
An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via go get or go bui...
kdelibs -- insecure temporary file creation
Davide Madrisan reports: The dcopidlng' script in the KDE library package kdelibs-3.3.2/dcop/dcopidlng/dcopidlng creates temporary files in a unsecure manner. Note: dcopidlng is only used at build time, so only users installing KDE are vulnerable, not users already running KDE...