957 matches found
CLSA-2026-1777548617 Fix CVE(s): CVE-2026-4519, CVE-2026-4786
SECURITY UPDATE: webbrowser.open accepts URLs with leading dashes - debian/patches/CVE-2026-4519-CVE-2026-4786.patch: reject URLs whose lstrip starts with '-' in Lib/webbrowser.py; also fix bypass via %action substitution in UnixBrowser.open. - CVE-2026-4519 - CVE-2026-4786...
[SECURITY] Fedora 44 Update: zeal-0.8.0-2.fc44
Zeal is a simple offline documentation browser inspired by Dash...
python: Python: Command-line option injection in webbrowser.open() via crafted URLs
A flaw was found in Python. The webbrowser.open API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options,...
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gwm6-q8ch-hcfr. This link is maintained to preserve external references. Original Description A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the ...
CVE-2026-35356
A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file...
python: Python: Command-line option injection in webbrowser.open() via crafted URLs
A flaw was found in Python. The webbrowser.open API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options,...
CVE-2026-27447 affecting package cups for versions less than 2.4.17-1
CVE-2026-27447 affecting package cups for versions less than 2.4.17-1. An upgraded version of the package is available that resolves this issue...
MAL-2026-2700 Malicious code in conventional-changelog-dash (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 881ccc3d6c947645ee3866499931db298b0f2f7ac4a3d41dd9acf806d4e6d702 The package conventional-changelog-dash was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in conventional-changelog-dash (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 881ccc3d6c947645ee3866499931db298b0f2f7ac4a3d41dd9acf806d4e6d702 The package conventional-changelog-dash was found to contain malicious code. Source: ossf-package-analysis...
Important: python
Issue Overview: The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other...
Important: python3
Issue Overview: The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other...
Amazon Linux 2 : python, --advisory ALAS2-2026-3227 (ALAS-2026-3227)
The version of python installed on the remote host is prior to 2.7.18-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3227 advisory. The tarfile module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block...
Amazon Linux 2 : python3, --advisory ALAS2-2026-3228 (ALAS-2026-3228)
The version of python3 installed on the remote host is prior to 3.7.16-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3228 advisory. The tarfile module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-bloc...
dash -- arith: INTMAX_MIN / -1 overflow
https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3 reports: Division and remainder currently guard against division by zero, but not against the signed overflow case INTMAXMIN / -1. On affected systems this can trigger SIGFPE during arithmetic...
CLSA-2026-1775654402 python3.9: Fix of CVE-2026-4519
CVE-2026-4519: fix webbrowser.open leading dash injection...
@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-39381 via parse-server (>=9.6.0-alpha.37 <=9.7.0)
parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-39381 Source advisory: OSV:GHSA-G4V2-QX3Q-4P64...
@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-39321 via parse-server (>=9.6.0-alpha.37 <=9.7.0)
parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-39321 Source advisory: OSV:GHSA-MMPQ-5HCV-HF2V...
Security update for python
This update for python fixes the following issues: CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives bsc1259611. CVE-2026-3644: incomplete control character validation in http.cookies can lead to input...
@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-35200 via parse-server (>=9.6.0-alpha.37 <=9.7.0)
parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-35200 Source advisory: OSV:GHSA-VR5F-2R24-W5HC...
@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-35200 via parse-server (>=9.6.0-alpha.37 <=9.7.0)
parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-35200 Source advisory: SNYK:JS-PARSESERVER-15906332...