GHSA-36FC-7WJG-MFVJ Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction

GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, enabling object injection if an attacker can control the serialized data source. Affected Component - Package: pimcore/pimcore and...

PT-2026-44150

Description SymfonyComponentYamlParser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '^%YAML: d.+. u', whose d.+ and . overlap on the dot, that exhibit...

Apache Syncope 安全漏洞

Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration, and more. A security vulnerability exists in Apache Syncope versions 3.0 through...

ALPINE-CVE-2026-5946

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet IN — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes ANY or NONE in the question section. Specially crafted requests reaching the affected code paths — recursio...

CVE-2026-5946

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet IN — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes ANY or NONE in the question section. Specially crafted requests reaching the affected code paths — recursio...

EUVD-2026-31107

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet IN — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes ANY or NONE in the question section. Specially crafted requests reaching the affected code paths — recursio...

CVE-2026-5946 Invalid handling of CLASS != IN

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet IN — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes ANY or NONE in the question section. Specially crafted requests reaching the affected code paths — recursio...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: i40e: Fixed the idx validation in config queues msg. Ensured that idx is within the range of active/initialized TC’s when iterating over vf-chidx in i40evcconfigqueuesmsg...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: netsched: Prevent the creation of classes with TCHROOT. The function qdisctreereducebacklog uses TCHROOT as a termination condition when traversing the qdisc tree to update parent backlog counters. However, if a class is created...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: ice: Fixed a crash by keeping the old configuration when updating Traffic Classes beyond the allocated queues. There are issues when the number of allocated queues is less than the number of Traffic Classes. Commit a632b2a4c92...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: net/sched: schets: do not remove idle classes from the round-robin list Shuang reported that the following scripts cause issues when executed: 1 tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7...

CVE-2026-31910

CVE-2026-31910 (Apache OFBiz) is an SSRF vulnerability tied to improper input validation in UI Factory Classes. Affected software is Apache OFBiz prior to 24.09.06. The issue enables Server-Side Request Forgery and is addressed by upgrading to version 24.09.06, which contains the fix. No exploita...

CVE-2026-31910 Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access

Server-Side Request Forgery SSRF vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

PT-2026-42163

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.11.0 through 9.16.50 BIND 9 versions 9.18.0 through 9.18.48 BIND 9 versions 9.20.0 through 9.20.22 BIND 9 versions 9.21.0 through 9.21.21 BIND 9 versions 9.11.3-S1 through 9.16.50-S1 BIND 9 versions 9.18.11-S1 through...

ebpf-cve-analysis

eBPF CVE Analysis !polito-logoresources/images/logopolito...

EUVD-2026-28814

Amazon Redshift Vulnerable to Remote Code Execution via Unsafe Class Loading...

CVE-2021-47925

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

Bringing AI Code Security into Qualys ETM

A first-class data model for the next generation of findings AI-driven code security is becoming a real category. Anthropic's Claude Code Security and OpenAI's Codex Security are the leading examples, and more will follow. These tools reason about source code at a depth that traditional SAST cann...

EUVD-2021-34787

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

CVE-2021-47925

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...