qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file

A flaw was found in the Qt SVG module and the VectorImage component in Qt Quick. This vulnerability allows a remote attacker to inject arbitrary QML/JavaScript code by tricking a user into loading a specially crafted malicious SVG file. Successful exploitation could lead to denial of service,...

USN-8417-1: Tomcat vulnerabilities

It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting in a denial of service. CVE-2026-41284 It was discovered that Tomcat incorrectly validated HTTP/2...

Malicious code in xnder-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0cac2bcdbeb978a93be7021106fbfcab7795f51b434141160391cb89df0a87ab The package contains scripts/script.js with heavy obfuscation patterns string-array shift loops, hex-encoded indices, while!! anti-analysis construct...

Malicious code in xnder-wrapper-module (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6ff6538b76e9f03f65d8f16113bb6b606a59e59c172e9facb7de6ce0b523a7fb package.json declares "postinstall": "node scripts/script.js", causing scripts/script.js to run automatically on every npm install. That file is the...

MAL-2026-5491 Malicious code in xnder-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0cac2bcdbeb978a93be7021106fbfcab7795f51b434141160391cb89df0a87ab The package contains scripts/script.js with heavy obfuscation patterns string-array shift loops, hex-encoded indices, while!! anti-analysis construct...

EUVD-2026-35992

An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution...

CVE-2026-11815 Insecure Deserialization via MITM in Layer 7 Policy Manager

An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution...

CVE-2026-11815

CVE-2026-11815 describes insecure deserialization via MITM between a client application and an API Gateway server, potentially allowing deserialization of arbitrary objects and leading to broken security expectations or remote code execution. The vulnerability is associated with the Layer 7 Polic...

CVE-2026-11815 Insecure Deserialization via MITM in Layer 7 Policy Manager

An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution...

poppler: Integer overflow in Poppler SplashOutputDev::tilingPatternFill leads to heap buffer overflow via unchecked dimension multiplication

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the tilingPatternFill function. This overflow leads to an undersized heap memory allocation, allowing a subsequent...

firefox: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox ESR 115.35.1, Firefox ESR 140.10.1 and Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some ...

Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers Protobuf, that, if successfully exploited, could result in remote code execution RCE and denial-of-service DoS attacks. "In affected environments, a...

MGASA-2026-0188 Updated jq packages fix security vulnerabilities

An integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. CVE-2024-23337 It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of...

Exploit for Out-of-bounds Write in Mediatek Lr12A

CVE-2024-20154: NB-IoT SIB1-NB Stack Overflow in MediaTek MT67...

CVE-2026-36722

An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file...

CVE-2026-36723

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to...

CVE-2026-34993

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. An attacker could exploit this vulnerability by providing untrusted input to the CookieJar.load function. This could potentially lead to arbitrary code execution, allowing the attacker to run malicio...

SUSE CVE-2026-11632

Use after free in TabStrip in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

SUSE CVE-2026-11633

Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral. Chromium security severity: Critical...

SUSE CVE-2026-11637

Use after free in Views in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...