CVE-2026-30851

A flaw was found in the Caddy server platform, specifically within its reverse proxy module. The 'forwardauth copyheaders' functionality fails to properly strip client-supplied headers. This oversight allows a remote attacker to inject malicious headers, leading to identity injection and...

CVE-2026-26999

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. A remote unauthenticated client can exploit this vulnerability by sending an incomplete Transport Layer Security TLS record, which causes the TLS handshake to stall indefinitely. This can lead to resource exhaustion, such as fi...

CVE-2026-1229

A flaw was found in the github.com/cloudflare/circl/ecc/p384 package. The CombinedMult function, which is part of the elliptic curve cryptography ECC implementation for the secp384r1 curve, generates an incorrect value when provided with specific inputs. This can lead to incorrect cryptographic...

CVE-2026-27121

svelte is a performance oriented web framework. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious...

CVE-2025-69872

A deserialization flaw was found in python-diskcache. This component uses Python pickle for serialization by default. An attacker with write access to the cache directory can exploit this vulnerability to achieve arbitrary code execution when a victim application reads from the cache. The impact ...

CVE-2026-2366

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim'...

CVE-2026-2360

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the extension is created. The risk is...

CVE-2026-24682

A heap buffer overflow has been discovered in FreeRDP. audinserverrecvformats frees an incorrect number of audio formats on parse failure i + i, leading to out-of-bounds access in audioformatsfree. Mitigation Mitigation for this issue is either not available or the currently available options do...

CVE-2025-66628

ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM PSX TIM image parser contains a critical integer overflow vulnerability in its ReadTIMImage function coders/tim.c. The code reads width and height 16-bit values from the file...

CVE-2025-67636

A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product...

CVE-2025-65803

An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service DoS via supplying a crafted PSD file. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat...

CVE-2025-62875

An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1. Mitigation Mitigation for this issue is either not available or the currently available options do not meet...

CVE-2025-60360

radare2 v5.9.8 and before contains a memory leak in the function r2rsubprocessinit. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread...

CVE-2025-59052

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container the "platform injector" to hold request-specific state during server-side rendering. For historical reasons, the container was stored as ...

CVE-2025-55190

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwor...

CVE-2025-57833

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias. Mitigation...

CVE-2025-24975

A flaw has been discovered in the Firebird SQL project that can lead to an access bypass. If connections stored in the ExtConnPool are not properly verified for the CryptCallback interface upon creation, it could cause a server process segmentation fault. This vulnerability could allow an...

CVE-2025-40920

An insecure nonce generation flaw was found in the Catalyst::Authentication::Credential::HTTP perl module, where it does not use a strong cryptographic source for generating nonces. This flaw allows an attacker to decrypt communications. Mitigation Mitigation for this issue is either not availabl...

CVE-2025-8864

Shared Access Signature token is not masked in the backup configuration response and is also exposed in the ybbackup logs Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and...

CVE-2025-54388

A firewall state management issue was found in the Moby project. When the firewalld service is reloaded, it removes all iptables rules, including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block...