Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

Security Disclosure: SSRF via MetaIssuer Regex Bypass Summary Fulcio's metaRegex function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. T...

Important: Red Hat Security Advisory: opentelemetry-collector security update

An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, ...

Important: Red Hat Security Advisory: opentelemetry-collector security update

An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating,...

Astra Linux – Vulnerability in Ruby 3.1

In the CGI gem before version 0.4.2 for Ruby, there is a Regular Expression Denial of Service ReDoS vulnerability in the UtilescapeElement method...

SUSE CVE-2025-15506

A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has...

MiracleLinux 7 : php-5.4.16-48.0.11.el7.AXS7 (AXSA:2025-10916:10)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-10916:10 advisory. CVE-2017-9224: fix out-of-bounds read of a stack in matchat function CVE-2017-9226: fix out-of-bounds write or read of a heap in nextstateval...

tarteaucitron.js 安全漏洞

tarteaucitron.js is a cookie manager for the Amauri CHAMPEAUX Personal Developer. A security vulnerability exists in tarteaucitron.js versions prior to 1.29.0, which stems from a regular expression denial of service when handling the issuuid parameter...

RHEL 10 : opentelemetry-collector (RHSA-2026:0514)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:0514 advisory. Collector with the supported components for a Red Hat build of OpenTelemetry Security Fixes: github.com/expr-lang/expr: Expr: Denial of Service via...

PT-2026-2796

Name of the Vulnerable Software and Affected Versions tarteaucitron.js versions prior to 1.29.0 Description A Regular Expression Denial of Service ReDoS issue exists in tarteaucitron.js when handling the issuu id parameter. This could lead to a denial of service. Recommendations Update to version...

RHEL 9 : opentelemetry-collector (RHSA-2026:0513)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:0513 advisory. Collector with the supported components for a Red Hat build of OpenTelemetry Security Fixes: github.com/expr-lang/expr: Expr: Denial of Service via...

RHEL 9 : opentelemetry-collector (RHSA-2026:0512)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:0512 advisory. Collector with the supported components for a Red Hat build of OpenTelemetry Security Fixes: github.com/expr-lang/expr: Expr: Denial of Service via...

MiracleLinux 7 : python3-setuptools-39.2.0-10.0.5.0.1.el7.AXS7 (AXSA:2025-11012:02)

The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2025-11012:02 advisory. CVE-2022-40897: fix Regular Expression Denial of Service ReDoS in packageindex.py CVE-2024-6345: fix remote code execution in packageindex module...

Regular Expression Denial of Service (ReDoS)

Overview langchain-classic is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the parse function in the MRKLOutputParser class. An attacker can cause excessive CPU consumption and significan...

CVE-2024-58340

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.parse method libs/langchain/langchain/agents/mrkl/outputparser.py. The parser applies a backtracking-prone regular expression when extracting tool actions from...

PYSEC-2026-75

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.parse method libs/langchain/langchain/agents/mrkl/outputparser.py. The parser applies a backtracking-prone regular expression when extracting tool actions from...

CVE-2024-58340 LangChain <= 0.3.1 MRKLOutputParser ReDoS

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.parse method libs/langchain/langchain/agents/mrkl/outputparser.py. The parser applies a backtracking-prone regular expression when extracting tool actions from...

CVE-2024-58340 LangChain <= 0.3.1 MRKLOutputParser ReDoS

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.parse method libs/langchain/langchain/agents/mrkl/outputparser.py. The parser applies a backtracking-prone regular expression when extracting tool actions from...

LangChain 安全漏洞

LangChain is the LangChain open source framework for developing applications powered by the Large Language Model LLM. A security vulnerability exists in LangChain 0.3.1 and earlier versions, which stems from the MRKLOutputParser.parse method using a regular expression that is vulnerable to...

n8n Node.js Package < 1.121.3 RCE (CVE-2026-21877)

The version of the n8n Node.js Package installed on the remote host is prior to 1.121.3. It is, therefore, affected by a remote code execution vis expression injection vulnerability: - Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the ConvertToRegularExpression function. An attacker can cause a crash or access unintended memory by providing specially crafted input locally. Remediation Upgrade opencolorio to version 2.5.1 or higher. Referenc...