4259 matches found
libvips 安全漏洞
libvips is an open-source fast image processing library with low memory requirements. Versions of libvips 8.18.2 and earlier contain security vulnerabilities. These vulnerabilities stem from the handling of the parameter “n” in the file “libvips/deprecated/vips7compat.c”, which may lead to a heap...
GHSA-V9WW-2J6R-98Q6 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
Impact @fastify/middie v9.3.1 and earlier does not read the deprecated but still functional top-level ignoreDuplicateSlashes option, only reading from routerOptions. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware bypass via...
PT-2026-32937
Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling...
Unisys WebPerfect Image Suite 安全漏洞
Unisys WebPerfect Image Suite is an enterprise document imaging and management system developed by Unisys, Inc. Both versions of Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 contain security vulnerabilities. These vulnerabilities stem from the exposure of deprecated.NET Remotin...
Why Your Deprecated Endpoints Are an Attacker’s Best Friend: The Rise of Ghost APIs
Ghost APIs are deprecated endpoints left active, exposing systems to attack. Learn how they differ from shadow APIs and why they create hidden security risks...
CVE-2026-34479
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log...
CVE-2026-5979
A vulnerability was detected in D-Link DIR-605L 2.13B01. Affected by this vulnerability is the function formVirtualServ of the file /goform/formVirtualServ of the component POST Request Handler. The manipulation of the argument curTime results in buffer overflow. The attack can be launched...
EUVD-2026-20060
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generatesessionid function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand...
CVE-2026-5082
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generatesessionid function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand...
CVE-2026-21380
Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory...
EUVD-2026-19336
Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory...
CVE-2026-21380
Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory...
CVE-2026-21380 Use After Free in DSP Service
Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory...
CVE-2026-21380 Use After Free in DSP Service
Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory...
CVE-2026-21380
CVE-2026-21380 involves memory corruption (use-after-free) in the DSP service when deprecated DMABUF IOCTL calls are used to manage video memory. Documents describe a local, low-privilege attack with no user interaction and high impact to confidentiality, integrity, and availability. Root cause i...
AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php
Summary The BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitco...
PT-2026-30333
Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without authentication. The endpoint was intended as an AJAX polling helper for the authenticated...
SUSE CVE-2026-34041
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
PT-2026-28594
Name of the Vulnerable Software and Affected Versions act versions prior to 0.2.86 Description act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled due to environment injection risks. When a workflow step echoes untrusted data ...