PT-2026-34530

A panic was reachable when parsing certificate revocation lists via BorrowedCertRevocationList::from der or OwnedCertRevocationList::from der. This was the result of mishandling a syntactically valid empty BIT STRING appearing in the onlySomeReasons element of a IssuingDistributionPoint CRL...

uutils coreutils 输入验证错误漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils Open Source. uutils coreutils has a vulnerability related to input validation errors. This vulnerability stems from a cut logic error, which incorrectly interprets two-byte literal strings as empty delimiters. This...

uutils coreutils 安全漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils Open Source. There is a security vulnerability in uutils coreutils. This vulnerability arises from the fact that the mktemp utility fails to properly handle the empty TMPDIR environment variable. Unlike GNU mktemp,...

Unity Linux 20.1050e / 20.1060e Security Update: kernel (UTSA-2026-013404)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013404 advisory. In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix nilfsemptydir misjudgment and long loop on I/O errors The error handling in...

CVE-2026-41128

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

CVE-2026-40884 goshs: Empty-username SFTP password authentication bypass in goshs

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP...

CVE-2026-40884 goshs: Empty-username SFTP password authentication bypass in goshs

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP...

CVE-2026-40599

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple...

CVE-2026-40599

CVE-2026-40599 affects ClearanceKit on macOS. Before 5.0.5, a process with an empty Team ID but non-empty Signing ID can be misidentified as an Apple platform binary, enabling a malicious app to impersonate an Apple process in the global allowlist and access protected files. The issue is fixed in...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013167)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013167 advisory. In the Linux kernel, the following vulnerability has been resolved: MIPS: fw: Allow firmware to pass a empty env fwgetenv will use env entry to determine style of en...

Unity Linux 20.1070e Security Update: freerdp (UTSA-2026-006941)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006941 advisory. FreeRDP is a free implementation of the Remote Desktop Protocol RDP. In versions prior to 2.7.0, NT LAN Manager NTLM authentication does not properly abort when...

goshs 访问控制错误漏洞

Goshs is a simple HTTP server developed by Patrick Hener using Go language. Versions of Goshs prior to 2.0.0-beta.6 contained an access control vulnerability. This vulnerability occurred when using the basic authentication syntax with an empty username recorded in the documentation, without...

PT-2026-34037

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple...

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011235)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011235 advisory. In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty listfirstentry never returns NULL - if...

SUSE CVE-2026-31430

In the Linux kernel, the following vulnerability has been resolved: X.509: Fix out-of-bounds access when parsing extensions Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before...

CVE-2026-40525

OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the apikey configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke...

CVE-2026-31430

A flaw was found in the Linux kernel. An unprivileged user can exploit this vulnerability by submitting a specially crafted X.509 certificate to the kernel through the keyrings7 application programming interface API. This certificate, specifically when containing empty Basic Constraints or Key...

CVE-2026-31430

In the Linux kernel, the following vulnerability has been resolved: X.509: Fix out-of-bounds access when parsing extensions Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before...

RHSA-2026:8855 Red Hat Security Advisory: rhc security update

Bulletin has no description...

CVE-2026-31430

In the Linux kernel, the following vulnerability has been resolved: X.509: Fix out-of-bounds access when parsing extensions Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before...