544 matches found
Apache NiFi - Information Disclosure
Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...
Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS mutual Transport Layer Security setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive informati...
CVE-2026-53085
A flaw was found in the Linux kernel's Berkeley Packet Filter BPF subsystem. This use-after-free vulnerability occurs when the taskvma iterator reads task memory without properly acquiring a reference, allowing the memory structure to be freed concurrently while still in use. This can lead to...
CVE-2026-41862
Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...
EUVD-2026-38596
Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...
PT-2026-51593
Name of the Vulnerable Software and Affected Versions Spring Statemachine versions 4.0.0 through 4.0.1 Spring Statemachine versions 3.2.0 through 3.2.4 Description Kryo-based persistence backends, including JPA, MongoDB, Redis, and ZooKeeper, deserialize persisted state-machine contexts without...
CVE-2026-41852
A flaw was found in Spring Framework. A vulnerability in the Spring Expression Language SpEL evaluation logic allows an attacker to invoke arbitrary zero-argument methods, even in restricted contexts. This can lead to the execution of unintended application logic, potentially resulting in a Denia...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The Kryo-based persistence serializers KryoStateMachineSerialisationService / AbstractKryoStateMachineSerialisationService deserialise persisted state-machine contexts without enabling...
cve-2026-41862 - HIGH - Kryo deserialization of persisted context without class allowlist
cve-2026-41862 - HIGH - Kryo deserialization of persisted context without class allowlist...
CVE-2026-41852
A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....
UBUNTU-CVE-2026-41852
A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....
CVE-2026-41852 Spring Framework Arbitrary Method Invocation in SpEL Expressions
A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....
CVE-2026-41852
The CVE affects Spring Framework via SpEL evaluation allowing arbitrary zero-argument method invocation in restricted/read-only contexts across multiple versions (7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48). Root cause is the SpEL evaluation logic, enabling invocation of unintended app...
CVE-2026-41852 Spring Framework Arbitrary Method Invocation in SpEL Expressions
A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....
EUVD-2026-35340
A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....
PT-2026-47663
Name of the Vulnerable Software and Affected Versions Spring Framework versions 7.0.0 through 7.0.7 Spring Framework versions 6.2.0 through 6.2.18 Spring Framework versions 6.1.0 through 6.1.27 Spring Framework versions 5.3.0 through 5.3.48 Description A flaw in the Spring Expression Language SpE...
Security update for epiphany (important)
openSUSE Security Update: Security update for epiphany Announcement ID: openSUSE-SU-2026:0193-1 Rating: important References: 1208472 Cross-References: CVE-2023-26081 Affected Products: openSUSE Backports SLE-15-SP7 An update that fixes one vulnerability is now available. Description: This update...
OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorizedkeys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This coul...
WebADM Security Auditor and Content Exposure Scanner
This Python script is a defensive security auditing tool designed to analyze a target web application for potential information exposure and security misconfigurations, specifically focusing on environments resembling WebADM. This was tested on version 2.4.17-1...
Linux Distros Unpatched Vulnerability : CVE-2026-45913
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - net: bridge: mcast: always update mdbnentries for vlan contexts syzbot triggered a warning1 about the number of mdb entries in a context. It turned out that the...