SUSE-SU-2026:21852-1 Security update for alloy

This update for alloy fixes the following issues - CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of service bsc1262955. - CVE-2026-41602: github.com/apache/thrift: TFramedTransport frame size headers can lead to a uint32 integer...

vulnhunt-agent

Vulnerability Hunting Agent An LLM agent that reads code,...

Amazon Linux 2 : docker, --advisory ALAS2NITRO-ENCLAVES-2026-104 (ALASNITRO-ENCLAVES-2026-104)

The version of docker installed on the remote host is prior to 25.0.14-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2026-104 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C...

PT-2026-45980

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs.name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentom...

Amazon Linux 2 : docker, --advisory ALAS2ECS-2026-115 (ALASECS-2026-115)

The version of docker installed on the remote host is prior to 25.0.14-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-115 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and ...

Amazon Linux 2 : docker, --advisory ALAS2DOCKER-2026-119 (ALASDOCKER-2026-119)

The version of docker installed on the remote host is prior to 25.0.14-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2026-119 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory a...

Amazon Linux 2023 : docker (ALAS2023-2026-1736)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1736 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

BentoML 安全漏洞

BentoML is an open-source model service library developed by BentoML. It is used to build high-performance and scalable artificial intelligence applications using Python. Versions of BentoML prior to 1.4.39 contained a security vulnerability. This vulnerability stemmed from the lack of escaping f...

PT-2026-45979

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/ internal/container/frontend/dockerfile/templates/base v2.j2 interpolates docker.base image raw with no escaping, newline filtering, or validation. A malicious...

CVE-2026-5843

The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the modelfile configuration field in config.json. When a model's config.json specifies a modelfile pointing to a Python...

CVE-2026-5817

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trustremotecode=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.frompretrained to import and execute arbitrary Python files included in any model pulled fr...

CVE-2026-9568

A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack'...

CVE-2026-9568 ThingsBoard YAML provision getGatewayDockerComposeFile code injection

A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack'...

CVE-2026-9568

A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack'...

CVE-2026-9568 ThingsBoard YAML provision getGatewayDockerComposeFile code injection

A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack'...

CVE-2026-45082

Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery SSRF protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward...

CVE-2026-45082

Karakeep (elf-hostable bookmark-everything app) has an SSRF protection bypass in versions before 0.32.0. Attackers could abuse crafted HTTP redirects to cause authenticated users to trigger requests from vulnerable components to internally reachable Docker network services. Affected processing pa...

CVE-2026-45082 Karakeep has a SSRF Protection Bypass via Redirect Handling

Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery SSRF protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward...

CVE-2026-45082

Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery SSRF protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward...

EUVD-2026-31826

Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery SSRF protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward...