Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the errors middleware process. An attacker can obtain sensitive authentication headers, such as Authorization and Cookie, by triggering a backend response that matches the configured...

GHSA-P6HG-QH38-555R Traefik's errors middleware forwards Authorization and Cookie headers to separate error page service

Summary There is a medium severity information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the original request's complete header set, including Authorization, Cookie,...

CVE-2026-2828

REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage...

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection via the SuppressedError. An attacker can execute arbitrary code outside the intended sandbox environment by...

CVE-2026-42146

CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nbcolors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nbcolors value triggers an...

CVE-2026-25293 Incorrect authorization in PLC FW

Buffer overflow due to incorrect authorization in PLC FW...

CVE-2026-26332 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

DEBIAN-CVE-2026-33007

A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue...

python-markdown: denial of service via malformed HTML-like sequences

A flaw was found in Python-Markdown. Parsing crafted markdown content containing malformed HTML-like sequences causes html.parser.HTMLParser to raise an unhandled AssertionError. This unhandled exception allows an attacker to cause an application crash and potentially disclose sensitive informati...

JLSEC-2026-407

A use after free vulnerability exists in curl v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the now freed hash. This flaw...

JLSEC-2026-415 libcurl skips the certificate verification for a QUIC connection under certain conditions, when...

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems...

CVE-2026-5404

A flaw was found in Wireshark. This vulnerability allows a remote attacker to cause the application to crash, leading to a denial of service. The attacker can achieve this by tricking a user into opening a specially crafted K12 RF5 file, which triggers a parser error. Mitigation To mitigate this...

CVE-2026-43859

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP authcram MD5 digest...

CVE-2026-43859

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP authcram MD5 digest...

UBUNTU-CVE-2026-43860

mutt before 2.3.2 sometimes truncates the hashpasswd by one byte for IMAP authcram MD5 digest...

CVE-2026-20450

In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch...

CVE-2026-20450

In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch...

CVE-2026-20450

In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch...

CVE-2026-20450

CVE-2026-20450 affects the Modem component. The issue is a crash caused by incorrect error handling, which can lead to remote denial of service if a user equipment connects to a rogue base station controlled by an attacker. No user interaction is required; exploitation is scoped to adjacent acces...