zrok copy writes attacker-controlled WebDAV paths outside the destination root

Summary Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root...

CVE-2026-43430

The issue CVE-2026-43430 affects the Linux kernel USB driver for yurex. A race condition occurs in the probe path where the bbu field is not initialized before the URB completion handler uses it, creating a window during which descriptor data can be overwritten by concurrent probing. This can lea...

GHSA-6H7W-V2XR-MQVW Bagisto Missing Authentication on Installer API Endpoints

Vulnerable Code File: packages/Ibkul/Installer/src/Routes/Ib.php groupfunction Route::controllerInstallerController::class-\groupfunction Route::get'install', 'index'-\name'installer.index'; Route::middlewareStartSession::class-\prefix'install/api'-\groupfunction Route::post'env-file-setup',...

luksmeta: Data corruption when handling LUKS1 partitions with luksmeta

A data corruption vulnerability has been identified in the luksmeta utility when used with the LUKS1 disk encryption format. An attacker with the necessary permissions can exploit this flaw by writing a large amount of metadata to an encrypted device. The utility fails to correctly validate the...

DRUPAL-CORE-2022-008

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...