Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nodejs20: nodejs20-20.20.0-7.1.hum1 aarch64, x8664 nodejs20-bin-20.20.0-7.1.hum1 noarch nodejs20-devel-20.20.0-7.1.hum1 aarch64, x8664 nodejs20-docs-20.20.0-7.1.hum1 noarch...

Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

In this article 1. Technical details 2. Disclosure timeline 3. Mitigation and protection guidance 4. References 5. Learn more During routine security research, we identified a severe intent redirection vulnerability in a widely used third-party Android SDK called EngageSDK. This flaw allows apps ...

CVE-2026-39680

Missing Authorization vulnerability in MWP Development Diet Calorie Calculator diet-calorie-calculator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Diet Calorie Calculator: from n/a through = 1.1.1...

[SECURITY] Fedora 43 Update: pspp-2.1.1-5.fc43

PSPP is a program for statistical analysis of sampled data. It interprets commands in the SPSS language and produces tabular output in ASCII, PostScript, or HTML format. PSPP development is ongoing. It already supports a large subset of SPSS's transformation language. Its statistical procedure...

[SECURITY] Fedora 43 Update: goose-1.23.2-7.fc43

Goose is your on-machine AI agent, capable of automating complex development tasks from start to finish. More than just code suggestions, goose can build entire projects from scratch, write and execute code, debug failures, orchestrate workflows, and interact with external APIs - autonomously...

SDL2_image-devel-2.8.10-1.1 on GA media (moderate)

SDL2image-devel-2.8.10-1.1 on GA media Announcement ID: openSUSE-SU-2026:10494-1 Rating: moderate Cross-References: CVE-2026-35444 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

CVE-2026-39364

A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve...

CVE-2026-39365

A flaw was found in Vite. The development server's handling of .map requests contains a path traversal vulnerability. A remote attacker can exploit this by sending a specially crafted request with directory traversal sequences ../ to bypass security restrictions. This allows the attacker to...

CVE-2026-35568

The CVE-2026-35568 entry corresponds to a DNS rebinding vulnerability in the MCP Java SDK (official Java SDK for Model Context Protocol servers/clients). Prior to version 1.0.0, the java-sdk did not validate the Origin header, enabling an attacker-controlled webpage on local or adjacent networks ...

EUVD-2026-19954

Java-SDK has a DNS Rebinding Vulnerability...

GHSA-8JXR-PR72-R468 Java-SDK has a DNS Rebinding Vulnerability

Summary The java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, or network adjacent. This allows an attacker to make any tool call to the server as if they wer...

EUVD-2026-19875

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

CVE-2026-39312

SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 and likely earlier versions of Developer Edition. An unauthenticated remote attacker can cra...

Signals from the Cloud Security Forecast 2026: Cloud Risk Is Scaling through Design, Not Disruption

Key Takeaways Identity and permissions now determine what is reachable, making them the primary drivers of cloud risk. Runtime exposure, not individual findings, determines how low-risk issues combine into real impact. SaaS and OAuth integrations extend the control plane and amplify blast radius...

Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: libpng: libpng-1.6.56-1.hum1 aarch64, x8664 libpng-devel-1.6.56-1.hum1 aarch64, x8664 libpng-static-1.6.56-1.hum1 aarch64, x8664 libpng-tools-1.6.56-1.hum1 aarch64, x8664 libpng-1.6.56-1.hum1.src...

OPENSUSE-SU-2026:10494-1 SDL2_image-devel-2.8.10-1.1 on GA media

These are all security issues fixed in the SDL2image-devel-2.8.10-1.1 package on the GA media of openSUSE Tumbleweed...

EUVD-2026-19440

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $ or backtick expressions in...

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Summary Any files ending with .map even out side the project can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - have a sensitive content in files...

Incorrect Behavior Order: Validate Before Canonicalize

Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through the server.fs.deny component. An attacker can access sensitive files by appending specific query parameters such as ?raw,...

Missing Authentication for Critical Function

Overview vite-plus is a The Unified Toolchain for the Web Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is...