SUSE-SU-2026:21688-1 Security update for glibc

This update for glibc fixes the following issues - CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application bsc1261206. - CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width 1024 bsc1262465. - CVE-2026-5928: libio: ungetwc...

Cross-site Request Forgery (CSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the getuserprofileimagebyid and getmodelprofileimage handlers in the profile image endpoints. An attacker can supply an external https profile image URL, causing the...

CVE-2026-8537

Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-8537

Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-8576

Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8545

Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-8537

CVE-2026-8537 is a Chrome/Chromium vulnerability: insufficient policy enforcement in the ViewTransitions component could allow a remote attacker to leak cross-origin data via a crafted HTML page. Affected version range is Chrome prior to 148.0.7778.168. Remediation is upgrade to the Chrome stable...

EUVD-2026-30366

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

NPM: FlowiseAI Vulnerable to Credential Data Leak

NPM: FlowiseAI Vulnerable to Credential Data Leak vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

FlowiseAI Vulnerable to Credential Data Leak

Severity: HIGH CVSS 7.5 Type: CWE-200 Exposure of Sensitive Information File: packages/server/src/services/credentials/index.ts:62-71 Description: When credentials are fetched with a credentialName filter parameter, the encryptedData field is NOT stripped from the response. The code properly omit...

GHSA-7G73-99R4-M4MJ FlowiseAI Vulnerable to Credential Data Leak

Severity: HIGH CVSS 7.5 Type: CWE-200 Exposure of Sensitive Information File: packages/server/src/services/credentials/index.ts:62-71 Description: When credentials are fetched with a credentialName filter parameter, the encryptedData field is NOT stripped from the response. The code properly omit...

PT-2026-41105

Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 148.0.7778.168 Google Chrome on ChromeOS versions prior to 148.0.7778.168 Description An inappropriate implementation in Cross-Origin Resource Sharing CORS, a mechanism that allows restricted resources ...

PT-2026-40950

HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information. Such behaviour may allow exposure of data to external systems under specific conditions...

CVE-2026-42552 Flight: Sensitive information disclosure via default error handler in flightphp/core

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak...

CVE-2026-8463

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2verify on empty encoded input. The auto-detect form of argon2verify passes encodedlen - 1 as the length argument to memchr without checking that encodedlen is non-zero. When the encoded string is...

freerdp: FreeRDP has an out-of-bounds read in ADPCM decoders due to missing predictor/step_index bounds checks

An out of bounds read flaw has been discovered in FreeRDP. This out-of-bounds read exists in the MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and stepindex values from input data. An attacker may be able to leverage this weakness to leak global data...

freerdp: FreeRDP has an out-of-bounds read in ADPCM decoders due to missing predictor/step_index bounds checks

An out of bounds read flaw has been discovered in FreeRDP. This out-of-bounds read exists in the MS-ADPCM and IMA-ADPCM decoders due to unchecked predictor and stepindex values from input data. An attacker may be able to leverage this weakness to leak global data...

MAL-2026-3683 Malicious code in @dropout-ai/runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2121b923a39177ed68ce5cf066cbb07891b7cb5d20ecf5ec66f2c953634eff10 On require/import, src/index.js replaces global.fetch with a wrapper that intercepts every fetch whose URL matches openai.com, anthropic.com,...

CVE-2024-36315

Improper enforcement of the LFENCE serialization property may allow an attacker to bypass speculation barriers and potentially disclose sensitive information, potentially resulting in loss of confidentiality...

Malicious code in dlty (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 494f5fbab24a26771e84ce06eea5303b7d1b9135b505a6d93a01c417603f1902 Importing the dlty package triggers an active data-exfiltration channel from the installer to third-party-controlled infrastructure. dlty/init.py...