CVE-2026-40472

In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href attributes without proper sanitization, enabling stored Cross-Site Scripting XSS attacks...

UBUNTU-CVE-2026-5438

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with Content-Encoding: gzip. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive...

CVE-2025-14911

CVE-2025-14911 involves the mongo-c-driver (GridFS) where user-controlled chunkSize metadata can cause an integer overflow leading to a heap allocation failure. Affected component/file: GridFS handling in the mongo-c-driver, with the underlying issue being insufficient validation of the chunkSize...

Go-tuf Improperly handles multiple key IDs for the same public keys in attacker-controlled metadata

Issue If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then go-tuf clients 0.3.2 are susceptible to an attack where attackers can cause the same signature from the same publ...