DEBIAN-CVE-2026-24660

A heap-based buffer overflow vulnerability exists in the x3floadhuffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability...

UBUNTU-CVE-2026-20889

A heap-based buffer overflow vulnerability exists in the x3fthumbloader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability...

UBUNTU-CVE-2026-21413

A heap-based buffer overflow vulnerability exists in the losslessjpegloadraw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability...

CVE-2026-20911

A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability...

CVE-2026-20911

A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability...

CVE-2026-5616

A security vulnerability has been detected in JeecgBoot 3.9.0/3.9.1. The impacted element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.java of the component AI Chat Module. Such manipulation leads to...

PT-2026-30832

Name of the Vulnerable Software and Affected Versions LibRaw versions Commit 0b56545 and Commit d20315b Description A heap-based buffer overflow exists in the lossless jpeg load raw functionality. A specially crafted malicious file can trigger a heap buffer overflow. An attacker can provide a...

PT-2026-30830

Name of the Vulnerable Software and Affected Versions LibRaw Commit d20315b Description A heap-based buffer overflow vulnerability exists in the x3f thumb loader functionality. A specially crafted malicious file can trigger a heap buffer overflow. An attacker can provide a malicious file to explo...

PT-2026-30833

Name of the Vulnerable Software and Affected Versions LibRaw versions prior to Commit 8dc68e2 Description An integer overflow exists in the uncompressed fp dng load raw functionality of LibRaw. A specially crafted malicious file can trigger a heap buffer overflow. An attacker can provide a...

LibRaw deflate_dng_load_raw integer overflow vulnerability

Talos Vulnerability Report TALOS-2026-2364 LibRaw deflatedngloadraw integer overflow vulnerability April 7, 2026 CVE Number CVE-2026-20884 SUMMARY An integer overflow vulnerability exists in the deflatedngloadraw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead ...

PT-2026-30831

Name of the Vulnerable Software and Affected Versions LibRaw versions Commit 0b56545 and Commit d20315b Description A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality. A specially crafted malicious file can trigger a heap buffer overflow. An attacker can...

PT-2026-30829

Name of the Vulnerable Software and Affected Versions LibRaw versions prior to Commit 8dc68e2 Description An integer overflow exists in the deflate dng load raw functionality of LibRaw. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file...

CVE-2026-35208

CVE-2026-35208 affects lichess.org: an Unsanitized Stream Title Injection occurs in the streamer workflow where approved streamers can inject HTML into the /streamer page and the Live streams widget by providing a title, which is rendered in the UI as-is. CSP blocks inline scripts, but the vulner...

CVE-2026-35208 lichess.org has an Unsanitized Stream Title Injection on /streamer

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

EUVD-2026-19475

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload 0xFF,...

UBUNTU-CVE-2026-34982

Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The complete, guitabtooltip and printheader options are missing the PMLE flag, allowing a modeline to be executed...

PT-2026-30726

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

PT-2026-30739

Name of the Vulnerable Software and Affected Versions Open edX Platform affected versions not specified Description The Open edX Platform allows for the creation and delivery of online learning content. The view survey API endpoint is susceptible to an open redirect issue due to the lack of...

CVE-2026-23435

In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86pmuenable A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP:...

OpenClaw: Discord voice manager bypasses channel-level member access allowlist

Summary Discord voice manager bypasses channel-level member access allowlist Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real...