OESA-2026-2148 pdfbox security update

Apache PDFBox is an open source Java PDF library for working with PDF documents. This project allows creation of new PDF documents, manipulation of existing documents and the ability to extract content from documents. Apache PDFBox also includes several command line utilities. Apache PDFBox is...

PT-2025-31834

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 0.2.111 Description Claude Code is an agentic coding tool affected by a path validation issue. This flaw uses prefix matching instead of canonical path comparison, allowing bypass of directory restrictions and...

CVE-2025-38305 ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()

In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp-nvclocks check logic in ptpvclockinuse There is no disagreement that we should check both ptp-isvirtualclock and ptp-nvclocks to check if the ptp virtual clock is in use. However, when we acquire ptp-nvclocksmux t...

CVE-2025-38039

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid WARNON when configuring MQPRIO with HTB offload enabled When attempting to enable MQPRIO while HTB offload is already configured, the driver currently returns -EINVAL and triggers a WARNON, leading to an...

CVE-2025-38039 net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid WARNON when configuring MQPRIO with HTB offload enabled When attempting to enable MQPRIO while HTB offload is already configured, the driver currently returns -EINVAL and triggers a WARNON, leading to an...

CVE-2023-2329

The WooCommerce Google Sheet Connector WordPress plugin before 1.3.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack...

CVE-2021-21405

Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 unique byte arrays...

CVE-2021-21954

A command execution vulnerability exists in the wificountrycodeupdate functionality of the homesecurity binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of network packets can lead to arbitrary command execution...

GHSA-MR7Q-FV7J-JCGV baserCMS has a Cross-site Scripting (XSS) Vulnerability in HTTP 400 Bad Request

XSS vulnerability in HTTP 400 Bad Request to baserCMS. Target baserCMS 5.1.1 and earlier versions Vulnerability Malicious code may be executed in HTTP 400 Bad Request. Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information...

Remotely Exploding Pagers

Wow. It seems they all exploded simultaneously, which means they were triggered. Were they each tampered with physically, or did someone figure out how to trigger a thermal runaway remotely? Supply chain attack? Malicious code update, or natural vulnerability? I have no idea, but I expect we will...

PT-2025-25437 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions before 15.10.16 XWiki versions 16.0.0-rc-1 through 16.4.6 XWiki versions 16.5.0-rc-1 through 16.10.1 Description: The issue concerns XWiki, a generic wiki platform. In affected versions, an attacker without script or programmin...

CVE-2024-38633 serial: max3100: Update uart_driver_registered on driver removal

In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Update uartdriverregistered on driver removal The removal of the last MAX3100 device triggers the removal of the driver. However, code doesn't update the respective global variable and after insmod — rmmod — insm...

CGA-V99P-WR93-6R5C

Bulletin has no description...

CGA-HJ78-V8R6-F74C

Bulletin has no description...

CGA-G5Q2-H4JR-H8VJ

Bulletin has no description...

CVE-2024-31995 zcap has incomplete expiration checks in capability chains.

@digitalbazaar/zcap provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the expires property is not properly checked against the current da...

GHSA-8832-4MM5-X2R6 discordrb OS Command Injection vulnerability

discordrb is an implementation of the Discord API using Ruby. In discordrb before commit 91e13043ffa the encoder.rb file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection. The library is not directly...

Users of ReraiseCrowdfund will potentially not receive appropriate voting power

Lines of code Vulnerability details Bug Description The recent code update introduces the functionality for authorities to reduce the total voting power by invoking the decreaseTotalVotingPower function of the party. However, this functionality can lead to issues when used in the time frame after...

Increasing of totalVotingPower during crowdfund can lead to users losing funds.

Lines of code Vulnerability details Bug Description The recent code update allows authorities to be declared at the start of the crowdfunding phase. This change allows authority-restricted functions to be called during the crowdfunding phase by the authorities added in the party constructor...

Debian: Security Advisory (DSA-5496-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...