CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation

Summary A fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions wit...

CVE-2026-35554 Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is...

GHSA-X442-M7CC-HR92 kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy

Summary When inner CPI instructions use instruction types not recognized by Kora's parser including Token-2022 extension instructions like ConfidentialTransfer, TransferFeeExtension::WithdrawWithheldTokens, etc., they are reconstructed as stub instructions with empty accounts and empty data. Thes...

CVE-2025-69255

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes getmetrics to unwrap failed deserialization of metrictype/opts, panicking the handler thread and enabling remote denial of service of the metrics...

CVE-2025-47784

Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause strreplace to replace the value of nameorig with empty, causing deserialization to fail and return false. Commit...

SUSE CVE-2017-8804

The xdrbytes and xdrstring functions in the GNU C Library aka glibc or libc6 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service virtual memory allocation, or memory consumption if an overcommit setting is not used via a crafted UDP packet...

Security update for glibc (important)

This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-8804: Fix memory leak after deserialization failure in xdrbytes, xdrstring bsc1037930 - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes bsc1051791 - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in...