GHSA-R33W-FG8J-9C94 MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution

Description MagicLink stores serialized action objects in the magiclinks.action database column and deserializes them without integrity validation or class allowlisting in src/MagicLink.php and src/Actions/ResponseAction.php. An attacker with the ability to manipulate database records e.g., via S...

CVE-2023-37525

A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals...

kernel: i40e: fix idx validation in config queues msg

A flaw was found in the Linux kernel in the Intel i40e network driver such that in the function i40evcconfigqueuesmsg, when iterating over vf-chidx, the idx value is not properly validated against the range of active/initialized traffic classes TCs. An attacker with local privileges could supply ...

kernel: i40e: fix idx validation in config queues msg

A flaw was found in the Linux kernel in the Intel i40e network driver such that in the function i40evcconfigqueuesmsg, when iterating over vf-chidx, the idx value is not properly validated against the range of active/initialized traffic classes TCs. An attacker with local privileges could supply ...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the log-socket collector process. An attacker can execute arbitrary code or cause a denial of service by sending specially crafted serialized objects to the exposed port 4560 when the allowed classe...

SUSE CVE-2026-1225

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially...

Azure Linux 3.0 Security Update: kernel (CVE-2024-56649)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-56649 advisory. - In the Linux kernel, the following vulnerability has been resolved: net: enetc: Do not configure preemptible...

CVE-2025-9464

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive...

CVE-2021-33493

The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format...

CVE-2025-23844

Cross-Site Request Forgery CSRF vulnerability in Jamsheer K Custom Widget Classes custom-widget-classes allows Cross Site Request Forgery.This issue affects Custom Widget Classes: from n/a through = 1.1...

PT-2026-20985

Name of the Vulnerable Software and Affected Versions Zumba Json Serializer versions 3.2.2 and below Description The Zumba Json Serializer library allows deserialization of PHP objects from JSON using a special @type field. Prior to version 3.2.3, the deserializer instantiates any class specified...

CVE-2025-9121

Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods...

mdast-util-to-hast has unsanitized class attribute

Impact Multiple unprefixed classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown: markdown jsxss Would create If your page then applied .xss classes or...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview org.webjars.npm:mdast-util-to-hast is a mdast utility to transform to hast Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the class attribute in rendered markdown code elements. An attacker can cause...

kernel: i40e: fix idx validation in config queues msg

A flaw was found in the Linux kernel in the Intel i40e network driver such that in the function i40evcconfigqueuesmsg, when iterating over vf-chidx, the idx value is not properly validated against the range of active/initialized traffic classes TCs. An attacker with local privileges could supply ...

Quantum Key Distribution: Bridging Theoretical Security Proofs, Practical Attacks, and Error Correction for Quantum-Augmented Networks

Quantum Key Distribution QKD is revolutionizing cryptography by promising information-theoretic security through the immutable laws of quantum mechanics. Yet, the challenge of transforming these idealized security models into practical, resilient systems remains a pressing issue, especially as...

Adaptive Intrusion Detection for Evolving RPL IoT Attacks Using Incremental Learning

The routing protocol for low-power and lossy networks RPL has become the de facto routing standard for resource-constrained IoT systems, but its lightweight design exposes critical vulnerabilities to a wide range of routing-layer attacks such as hello flood, decreased rank, and version number...

Slice-Aware Spoofing Detection in 5G Networks Using Lightweight Machine Learning

The increasing virtualization of fifth generation 5G networks expands the attack surface of the user plane, making spoofing a persistent threat to slice integrity and service reliability. This study presents a slice-aware lightweight machine-learning framework for detecting spoofing attacks withi...

pig 安全漏洞

pig is a privilege management system for pig-mesh open source. A security vulnerability exists in pig 3.8.2 and earlier versions, which originates in the Quartz management feature that can execute arbitrary Java classes via reflection, potentially leading to remote code execution...

Deserialization Of Untrusted Data

com.hubspot.jinjava, jinjava is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to use of mapper.getTypeFactory.constructFromCanonical which allows the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes...