Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010920)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010920 advisory. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential memory leaks When the driver hits -ENOMEM at allocating a URB or a...

CVE-2026-34936

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL schem...

CVE-2026-31877 Frappe SQL Injection due to improper field sanitization

Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0...

EUVD-2023-59043

Malicious code in bioql PyPI...

EUVD-2024-53335

Malicious code in bioql PyPI...

EUVD-2025-12575

Malicious code in bioql PyPI...

Security Bulletin: EndpointRequest.to() creates a matcher for null/** if the actuator endpoint is disabled or not exposed, which affects IBM watsonx.data

Summary EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used i...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in Spring [CVE-2025-22235]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in Spring , caused by Spring Boot EndpointRequest.to creating the wrong matcher if the actuator endpoint is not exposed CVE-2025-22235 . Spring is used as part of our Java Microservices. This vulnerabilitiy...

Linux Distros Unpatched Vulnerability : CVE-2025-22235

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your...

GHSA-RC42-6C7J-7H5R Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

CVE-2024-56687

In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix hardware lockup on first Rx endpoint request There is a possibility that a request's callback could be invoked from usbepqueue call trace below, supplemented with missing calls: req-complete from...

CVE-2024-56687

The CVE-2024-56687 issue affects the Linux kernel USB MUSB gadget path, where a request’s complete callback could be invoked from usb_ep_queue(), risking a hardware lockup and potential deadlock in the RX path. Root cause involves complex interaction between RXPKTRDY handling, IRQs, and the callb...

Directus GraphQL Field Duplication Denial of Service (DoS)

Summary A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and...

CVE-2021-31406

The CVE-2021-31406 entry concerns a timing side-channel vulnerability in Vaadin. Affected products/versions are: com.vaadin:flow-server 3.0.0–5.0.3 (Vaadin 15.0.0–18.0.6) and com.vaadin:fusion-endpoint 6.0.0 (Vaadin 19.0.0). The root cause is a non-constant-time comparison of CSRF tokens in the e...

GHSA-9H6G-6MXG-VVP4 Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 Vaadin 15.0.0 through 18.0.6, and com.vaadin:fusion-endpoint version 6.0.0 Vaadin 19.0.0 allows attacker to guess a security token for Fusion endpoints via timing attack....

Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 Vaadin 15.0.0 through 18.0.6, and com.vaadin:fusion-endpoint version 6.0.0 Vaadin 19.0.0 allows attacker to guess a security token for Fusion endpoints via timing attack....

Timing side channel vulnerability in endpoint request handler in Vaadin 15-19

Non-constant-time comparison of CSRF tokens in endpoint request handler in com.vaadin:flow-server versions 3.0.0 through 5.0.3 Vaadin 15.0.0 through 18.0.6, and com.vaadin:fusion-endpoint version 6.0.0 Vaadin 19.0.0 allows attacker to guess a security token for Fusion endpoints via timing attack...

Privilege Escalation

express-cart is vulnerable to privilege escalation attacks. A malicious user can pass a crafted request to the endpoint containing the /admin/setup string to create a user that will be considered as an admin user...