926 matches found
CVE-2026-7865
A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH...
CVE-2026-7865 Hidden Console Command
A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH...
PT-2026-37084
Name of the Vulnerable Software and Affected Versions Crestron devices affected versions not specified Description A hidden console command contains a command injection flaw occurring when control characters are passed to its second argument. This issue exists in the way the console command is...
cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from option values in the scheduler to prevent PPD keyword injection via Print-Job...
CLSA-2026-1777541087 cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from option values in the scheduler to prevent PPD keyword injection via Print-Job...
CLSA-2026-1777586051 openssh: Fix of CVE-2026-35386
CVE-2026-35386: fix client-side command execution via control characters in usernames by adding iscntrl rejection to validruser...
CLSA-2026-1777585781 openssh: Fix of CVE-2026-35386
CVE-2026-35386: fix client-side command execution via control characters in usernames by adding iscntrl rejection to validruser...
Important: python3.12
Issue Overview: The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...
Important: python3.14
Issue Overview: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. CVE-2026-0672 The fix for CVE-2026-0672, which rejected control characters...
CLSA-2026-1777393200 cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from IPP option values and allowlist PPD keywords returned by filters so a remote attacker cannot inject cupsFilter/cupsFilter2 entries on a shared PostScript queue and gain code execution as the cupsd user...
CLSA-2026-1777392877 cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from IPP option values and allowlist PPD keywords returned by filters so a remote attacker cannot inject cupsFilter/cupsFilter2 entries on a shared PostScript queue and gain code execution as the cupsd user...
cpython: Incomplete control character validation in http.cookies
A control character validation flaw has been discovered in the Python http.cookie module. The Morsel.update, |= operator, and unpickling paths were not patched to resolve CVE-2026-0672, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output...
cpython: Header injection in http.cookies.Morsel in Python
An injection flaw has been discovered in Python. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters...
Unity Linux 20.1070e Security Update: python3 (UTSA-2026-014307)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014307 advisory. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters...
CLSA-2026-1777026478 Fix CVE(s): CVE-2026-34980
SECURITY UPDATE: control-character injection in scheduler option handling - debian/patches/CVE-2026-34980.patch: filter control characters from IPP string option values and reject "special" PPD keywords cupsFilter, cupsFilter2, etc. reported back by job filters to prevent filter/command injection...
CLSA-2026-1777042487 Fix CVE(s): CVE-2026-34980
SECURITY UPDATE: filter control characters from option values in the scheduler to prevent PPD keyword injection via Print-Job. - debian/patches/CVE-2026-34980.patch: filter out control characters from IPP option values in scheduler/job.c and filter out special PPD keywords in the CUPSDLOGPPD bran...
CLSA-2026-1776788057 cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from option values in the scheduler to prevent PPD keyword injection via Print-Job...
CLSA-2026-1776767380 cups: Fix of 3 CVEs
CVE-2026-34980: filter control characters from option values in the scheduler to prevent PPD keyword injection via Print-Job - CVE-2026-39314: range check job-password-supported to prevent integer underflow in ppdCreateFromIPP - CVE-2026-39316: expire per-printer subscriptions before deleting the...
CLSA-2026-1776687226 Fix CVE(s): CVE-2024-52005
SECURITY UPDATE: ANSI escape sequence injection via sideband - debian/patches/CVE-2024-52005.patch: add strbufaddsanitized to mask control characters in sideband output in sideband.c. - CVE-2024-52005...
[slackware-security] cups
New cups packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/cups-2.4.17-i586-1slack15.0.txz: Upgraded. This update fixes security issues: The scheduler treated local user and group names as...