GHSA-QP9X-WP8F-QGJJ tuf has platform-dependent delegation path matching

DelegatedRole.istargetinpathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern. Python's fnmatch.fnmatch calls os.path.normcase on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts os.pat...

Important: Red Hat Security Advisory: Red Hat build of Cryostat 4.2.0: new RHEL 9 container image security update

New Red Hat build of Cryostat 4.2.0 on RHEL 9 container images are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

@amag-ch/cds-dk (=0.4.0), @cap-js/ord (>=1.3.0 <=1.6.0) +11 more potentially affected by unknown CVE via @cap-js/openapi (=1.4.0)

@cap-js/openapi NPM version =1.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on @cap-js/openapi and may be impacted: - @amag-ch/cds-dk =0.4.0 - @cap-js/ord =1.3.0, =3.0.0, =2.0.0, =8.0.2, =0.0.1, =1.0.0, =0.5.0, =3.202312.1, =1.0.0, =1.0.0, =1.1.5,...

@antv/ava (=3.6.0-alpha.0), @antv/gpt-vis (>=0.0.1 <=0.6.1) +31 more potentially affected by unknown CVE via @antv/l7-draw (=3.1.5)

@antv/l7-draw NPM version =3.1.5 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/l7-draw and may be impacted: - @antv/ava =3.6.0-alpha.0 - @antv/gpt-vis =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.9.9, =0.1.1, =1.0.0, =1.0.2, =1.0.2, =0.0.1, =0.0.1, =0.0....

brainfart (>=0.1.0 <=0.3.0), calibrate-agent (>=0.0.1 <=0.0.26) +47 more potentially affected by CVE-2026-44716 via pipecat-ai (>=0.0.90 <=1.1.0)

pipecat-ai PYPI version =0.0.90, =0.1.0, =0.0.1, =0.0.8, =0.1.0, =0.0.18, =0.0.2, =0.0.0, =1.0.0b3, =0.1.2, =0.0.1, =0.0.1, =0.0.4 and more Source cves: CVE-2026-44716 Source advisory: SNYK:PYTHON-PIPECATAI-16700145...

com.ritense.valtimo:audit (>=13.0.0.RELEASE <=13.22.0.RELEASE), com.ritense.valtimo:besluiten-api (>=13.0.0.RELEASE <=13.22.0.RELEASE) +48 more potentially affected by CVE-2026-42555 via com.ritense.valtimo:case (>=13.0.0.RELEASE <=13.22.0.RELEASE)

com.ritense.valtimo:case MAVEN version =13.0.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.13.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.0.0.RELEASE, =13.10.0.RELEASE, =13.10.0.RELEASE, =13.0.0.RELEASE,...

@piksail/strapi-plugin-publish-coolify (=0.0.1), stronges (=0.1.1) +1 more potentially affected by CVE-2026-22706 via @strapi/plugin-users-permissions (>=5.11.0 <=5.30.0)

@strapi/plugin-users-permissions NPM version =5.11.0, =5.30.0 is affected by a known vulnerability. The following packages have a transitive dependency on @strapi/plugin-users-permissions and may be impacted: - @piksail/strapi-plugin-publish-coolify =0.0.1 - stronges =0.1.1 - test-lead =0.1.0...

nautobot-app-intent-networking (>=2.0.9 <=2.0.11), nautobot-bgp-models (>=3.0.0a1 <=3.0.0a2) +13 more potentially affected by CVE-2026-44798 via nautobot (>=3.0.0rc2 <=3.1.1)

nautobot PYPI version =3.0.0rc2, =2.0.9, =3.0.0a1, =3.0.0rc1, =4.0.0a1, =3.0.0a1, =4.0.0a1, =4.0.0a2 - nautobot-ssot =4.0.0a1 - nautobot-welcome-wizard =3.0.0a1 Source cves: CVE-2026-44798 Source advisory: SNYK:PYTHON-NAUTOBOT-16691141...

nautobot-ai-ops (>=1.0.0 <=1.0.4), nautobot-bgp-models (>=0.7.0 <=1.0.0) +31 more potentially affected by CVE-2026-44798 via nautobot (>=1.0.3 <=2.4.22)

nautobot PYPI version =1.0.3, =1.0.0, =0.7.0, =1.1.0, =1.6.0, =1.0.0, =1.0.1, =1.0.0, =1.0.0, =1.0.0, =1.1.0, =1.0.0, =2.0.2 and more Source cves: CVE-2026-44798 Source advisory: OSV:GHSA-P3HX-PWF3-J8WR...

nautobot-app-intent-networking (>=2.0.9 <=2.0.11), nautobot-bgp-models (>=3.0.0a1 <=3.0.0a2) +13 more potentially affected by CVE-2026-44797 via nautobot (>=3.0.0rc2 <=3.1.1)

nautobot PYPI version =3.0.0rc2, =2.0.9, =3.0.0a1, =3.0.0rc1, =4.0.0a1, =3.0.0a1, =4.0.0a1, =4.0.0a2 - nautobot-ssot =4.0.0a1 - nautobot-welcome-wizard =3.0.0a1 Source cves: CVE-2026-44797 Source advisory: SNYK:PYTHON-NAUTOBOT-16691212...

nautobot-ai-ops (>=1.0.0 <=1.0.4), nautobot-device-resources (=1.0.0) +4 more potentially affected by CVE-2026-44797 via nautobot (>=2.0.0 <=2.4.22)

nautobot PYPI version =2.0.0, =1.0.0, =2.0.0, =0.16.0, =2.0.0, =2.5.0 - nautobot-ssot-unifi =1.0.2 Source cves: CVE-2026-44797 Source advisory: SNYK:PYTHON-NAUTOBOT-16691212...

nautobot-ai-ops (>=1.0.0 <=1.0.4), nautobot-bgp-models (>=0.7.0 <=1.0.0) +31 more potentially affected by CVE-2026-44794 via nautobot (>=1.0.3 <=2.4.22)

nautobot PYPI version =1.0.3, =1.0.0, =0.7.0, =1.1.0, =1.6.0, =1.0.0, =1.0.1, =1.0.0, =1.0.0, =1.0.0, =1.1.0, =1.0.0, =2.0.2 and more Source cves: CVE-2026-44794 Source advisory: OSV:GHSA-WPXJ-44W3-2J6X...

CVE-2026-4798

The connected sources confirm CVE-2026-4798 affects Avada Builder for WordPress

atlas-mcp (=0.1.0), blackmaria (=0.1.0) +5 more potentially affected by unknown CVE via guardrails-ai (=0.10.0)

guardrails-ai PYPI version =0.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on guardrails-ai and may be impacted: - atlas-mcp =0.1.0 - blackmaria =0.1.0 - dao-ai =0.1.39, =0.0.0a0, =0.1.0, =0.1.3 Source cves: unknown CVE Source advisory:...

@solidjs-email/dev-server (=2.0.0), @tanstack/solid-start (>=1.20.3-alpha.1 <=1.167.62) potentially affected by unknown CVE via @tanstack/solid-start-server (>=1.121.0-alpha.28 <=1.166.51)

@tanstack/solid-start-server NPM version =1.121.0-alpha.28, =1.20.3-alpha.1, =1.167.62 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3486...

Still Camouflage, Moving Illusion: View-Induced Trajectory Manipulation in Autonomous Driving

Existing physical adversarial attacks on vision-based autonomous driving induce time-evolving perception errors, including biased object tracking or trajectory prediction, through i sophisticated physical patch inducing detection box drift when entering the view distance, or ii dynamically changi...

0perator (>=0.1.0 <=0.3.0), 0pflow (>=0.1.0 <=0.1.0-dev.f5622ac) +1437 more potentially affected by CVE-2026-44902 via @opentelemetry/auto-instrumentations-node (>=0.16.0 <=0.74.0)

@opentelemetry/auto-instrumentations-node NPM version =0.16.0, =0.1.0, =0.1.0, =0.0.1, =0.8.0, =1.0.5, =0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939, =0.0.65, =0.2.0, =0.2.0, =0.0.1, =0.3.4, =0.1.0, =0.4.0, =0.4.0, =0.4.0, =5.0.1-staging.f17326334 and more Source cves: CVE-2026-44902...

EUVD-2026-28718

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. On ADSP stop, the q6apm-audio .remove callback unloads...

UBUNTU-CVE-2026-43412

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. On ADSP stop, the q6apm-audio .remove callback unloads...

CVE-2026-43412

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. On ADSP stop, the q6apm-audio .remove callback unloads...