CVE-2026-56425

The Azure Active Directory AAD authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier sessionid as the OAuth state...

Astra Linux – Vulnerability in Heimdal

The fix for CVE-2022-3437 involved changing the memcmp function to run in constant time, as well as providing a workaround for a compiler bug by adding comparisons of the result with the value “!= 0” to the memcmp function. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0...

Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Description Symfony\Component\Mailer\Bridge\Mailomat\Webhook\MailomatRequestParser::validateSignature parses the X-MOM-Webhook-Signature request header as algo=signature and passes the wire-supplied $algo directly to hashhmac when verifying the request against the configured webhook secret. The...

GHSA-RRJ9-5Q2J-4GVR Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Description Symfony\Component\Mailer\Bridge\Mailomat\Webhook\MailomatRequestParser::validateSignature parses the X-MOM-Webhook-Signature request header as algo=signature and passes the wire-supplied $algo directly to hashhmac when verifying the request against the configured webhook secret. The...

CVE-2026-5419

A flaw was found in gnutls. The PKCS7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of...

PT-2026-45034

Description The Twilio SMS notifier bridge ships a webhook request parser used to authenticate and decode the status callbacks Twilio POSTs to an application's webhook endpoint. Its doParseRequest $request, SensitiveParameter string $secret method receives the configured webhook secret but never...

Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection

Description The Mailtrap mailer bridge ships a webhook request parser used to authenticate and decode the event callbacks Mailtrap POSTs to an application's webhook endpoint. Its doParseRequest $request, \SensitiveParameter string $secret method receives the configured webhook secret but never...

Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection

Description The Mailjet mailer bridge and the LOX24 SMS notifier bridge both ship webhook request parsers used to authenticate and decode the event callbacks each provider POSTs to an application's webhook endpoint. Their doParseRequest $request, \SensitiveParameter string $secret methods receive...

CLSA-2026-1779968889 Fix of 7 CVEs

SECURITY UPDATE: Authentication Bypass in digest authentication - debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest - CVE-2026-43512 SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names -...

CLSA-2026-1779697425 postgresql: Fix of CVE-2026-6478

CVE-2026-6478: backport upstream prerequisite that introduces the timingsafebcmp constant-time memory comparison helper, then apply it to SCRAM and MD5 authentication paths that previously used memcmp or strcmp on password hashes, computed keys, and SCRAM nonces, to prevent timing-side-channel...

httpd: Fix of 5 CVEs

CVE-2026-28780: modproxyajp 4-byte heap buffer overflow when contacting a malicious AJP backend off-by-AJPHEADERLEN check in ajpmsgcheckheader - CVE-2026-34059: modproxyajp heap over-read in ajpparsedata on short AJP replies - CVE-2026-33006: modauthdigest used non-constant-time strcmp for...

PT-2026-44547

Description The Mailtrap mailer bridge ships a webhook request parser used to authenticate and decode the event callbacks Mailtrap POSTs to an application's webhook endpoint. Its doParseRequest $request, SensitiveParameter string $secret method receives the configured webhook secret but never rea...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: The comparison of MACs is now performed at constant time. To prevent timing attacks, MACs need to be compared at constant time. Use the appropriate helper functions for this purpose...

SUSE-SU-2026:21824-1 Security update for leancrypto

This update for leancrypto fixes the following issues Security issue: - CVE-2026-34610: The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lcx509extractnamesegment casts sizet vlen to uint8t when stori...

CLSA-2026-1779190223 opensc: Fix of 5 CVEs

CVE-2023-5992: implement constant-time PKCS1 v1.5 depadding to prevent Bleichenbacher/Marvin-style timing attacks - CVE-2025-49010: fix stack buffer overflow write in iso7816 GET RESPONSE - CVE-2025-66037: fix out-of-bounds heap read in scpkcs15pubkeyfromspkifields - CVE-2025-66038: fix buffer...

CLSA-2026-1779118679 Fix of 8 CVEs

SECURITY UPDATE: modproxyajp heap buffer over-read in ajpmsggetstring - debian/patches/CVE-2026-34032.patch: add buffer checks in modules/proxy/ajpmsg.c. - CVE-2026-34032 SECURITY UPDATE: AJP getter functions off-by-one out-of-bounds reads - debian/patches/CVE-2026-33857.patch: fix length checks ...

bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...

bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...

Fedora 44 : coturn (2026-3b3139882c)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3b3139882c advisory. Coturn 4.11.0 - Fix prometheus response memory leak introduced in 4.10.0 - Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC - Fix format-string...

PT-2026-41205

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description The 'checkBasicAuth' endpoint validates credentials in plaintext using direct comparison without rate limiting. This allows attackers to perform unlimited brute-force attempts against the username an...