CVE-2026-39973

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in brut/androlib/res/decoder/ResFileDecoder.java allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding apktool d. This is a...

Malicious code in json-dec (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de1db9ce26e4c5f4788ebbf809fede48364dd0741a8f4d0aa5580fac4b199f59 The package json-dec was found to contain malicious code. Source: ghsa-malware ad7f787412af0259dfcb2bcbb7429600fcb3c8a92510c70699961455caddd9ad Any...

OPENSUSE-SU-2026:20606-1 Security update for ImageMagick

This update for ImageMagick fixes the following issues: - CVE-2026-32259: stack out-of-bounds write due to a memory allocation failure in the sixel encoder can lead to a crash bsc1259612. - CVE-2026-32636: out-of-bounds write of a single zero byte due to bug the NewXMLTree method can lead to deni...

Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

GHSA-CVC6-Q2CP-2XHW Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

CVE-2026-22748

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

CVE-2026-22748 Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

CVE-2026-22748

CVE-2026-22748 affects Spring Security when JWT decoding uses NimbusJwtDecoder or NimbusReactiveJwtDecoder and an OAuth2TokenValidator is not configured separately (e.g., via setJwtValidator). Impact is that the issue can affect authentication integrity (I) with MEDIUM overall severity (CVSS v3.1...

CVE-2026-22748 Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

PT-2026-34252

Name of the Vulnerable Software and Affected Versions Spring Spring Security versions 6.3.0 through 6.3.14 Spring Spring Security versions 6.4.0 through 6.4.14 Spring Spring Security versions 6.5.0 through 6.5.9 Spring Spring Security versions 7.0.0 through 7.0.4 Description An issue exists when ...

CVE-2026-39973

Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in brut/androlib/res/decoder/ResFileDecoder.java allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding apktool d. This is a...

CVE-2026-40250 OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internaldwacompressor.h:1040 performs chan-width chan-bytesperelement in...

CVE-2026-40250 OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internaldwacompressor.h:1040 performs chan-width chan-bytesperelement in...

CVE-2026-40250

OpenEXR CVE-2026-40250 affects multiple release series (3.4.0–3.4.9, 3.3.0–3.3.9, 3.2.0–3.2.7) where internal_dwa_compressor.h:1040 computes chan->width * chan->bytes_per_element using int32 arithmetic without a size_t cast, enabling an integer overflow in the DWA decoder outBufferEnd point...

CVE-2026-29645

NEMU OpenXiangShan/NEMU before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector RVV decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted an...

Alibaba Cloud Linux 3 : 0073: perl-YAML-Syck (ALINUX3-SA-2026:0073)

The remote Alibaba Cloud Linux 3 host has a package installed that is affected by a vulnerability as referenced in the ALINUX3-SA-2026:0073 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-4177: YAML::Syck versions through 1.36 for...

Security update for GraphicsMagick (moderate)

openSUSE security update: security update for graphicsmagick ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20536-1 Rating: moderate References: bsc1258765 Cross-References: CVE-2026-26284 CVSS scores: CVE-2026-26284 SUSE : 6.5...

EUVD-2026-23937

NEMU OpenXiangShan/NEMU before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector RVV decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted an...

JLSEC-2026-157

strukturag libde265 commit d9fea9d wa discovered to contain a segmentation fault via the component decodercontext::computeframedroptable...

CVE-2026-40494

SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in tga.c has an asymmetric bounds check vulnerability. The run-packet path line 297 correctl...