GHSA-8396-JFFM-QX4W OpenFGA has cache-key delimiter injection in shared-iterator and v2 iterator that caches enables intra-store authorization-decision poisoning

Description In OpenFGA, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. Preconditions This applies if the following preconditions are present: - FGA runs with...

CVE-2026-53694

Improper Neutralization of Argument Delimiters in a Command 'Argument Injection' vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2...

CVE-2026-48096 OpenFGA: Cache-key delimiter injection in openfga/openfga shared-iterator and v2 iterator caches enables intra-store authorization-decision poisoning

OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in...

EUVD-2026-36060

Improper Neutralization of Argument Delimiters in a Command 'Argument Injection' vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2...

PT-2026-48471

Improper Neutralization of Argument Delimiters in a Command 'Argument Injection' vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2...

CVE-2026-6322

A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier URI that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw...

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

CVE-2026-40113

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openaimodel, openaikey, and openaibase without validating that these values do not contain commas. gcloud use...

CVE-2026-8708 Genzel breadcrumbs <= 1.2 - Cross-Site Request Forgery to Settings Update via Plugin Settings Page

The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the optionspage function. This makes it possible for unauthenticated attackers to update the plugin's breadcru...

EUVD-2026-32090

The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the optionspage function. This makes it possible for unauthenticated attackers to update the plugin's breadcru...

CLSA-2026-1779465893 postgresql: Fix of CVE-2026-6473

CVE-2026-6473: tsearch: bound StartSel/StopSel/FragmentDelimiter length to PGINT16MAX in tsheadline - CVE-2026-6473: contrib/ltree: guard lquery parsing against numvar and totallen wraparound - CVE-2026-6473: regex: add overflow-checked MALLOCARRAY/REALLOCARRAY and bound NFA state/color products...

CVE-2026-42586 Netty: CRLF Injection in Netty Redis Codec Encoder

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder RedisEncoder writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF \r\n characters. Since the...

EUVD-2026-29549

An improper neutralization of argument delimiters in a command 'argument injection' vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an...

CVE-2026-43893

exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stayopen True -@ - mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments...

EUVD-2026-27634

In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifssanitizeprepath When cifssanitizeprepath is called with an empty string or a string containing only delimiters e.g., "/", the current logic attempts to check cursor2 - 1 before cursor2...

CVE-2026-43112 fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath

In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifssanitizeprepath When cifssanitizeprepath is called with an empty string or a string containing only delimiters e.g., "/", the current logic attempts to check cursor2 - 1 before cursor2...

CVE-2026-43112

The CVE-2026-43112 issue affects the Linux kernel CIFS (Common Internet File System) client, specifically the function cifs_sanitize_prepath. The vulnerability occurs when processing an empty string or a string consisting only of delimiters (for example "/"); the code may dereference cursor2-1 be...

Linux Distros Unpatched Vulnerability : CVE-2026-43112

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - fs/smb/client: fix out-of-bounds read in cifssanitizeprepath When cifssanitizeprepath is called with an empty string or a string containing only delimiters e.g....

CVE-2026-6322

CVE-2026-6322 affects the fast-uri package. The vuln lies in normalize(): it decodes percent-encoded authority delimiters inside the host and then re-emits them as raw delimiters during serialization. This can cause a host, which combines an allowed domain, an encoded at-sign, and a different dom...

SUSE CVE-2026-42483

A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects modulehashdecode in multiple Kerberos-related modules because accountinfolen is...