Amazon Linux 2 : golang, --advisory ALAS2-2026-3313 (ALAS-2026-3313)

The version of golang installed on the remote host is prior to 1.25.10-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3313 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a...

CVE-2026-31843

The goodoneuz/pay-uz Laravel package = 2.2.24 contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any without authentication middleware, enabling remot...

EUVD-2026-16160

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can...

MiracleLinux 7 : rh-nodejs8-nodejs-8.17.0-2.el7 (AXSA:2020-200:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-200:01 advisory. nodejs-brace-expansion: Regular expression denial of service CVE-2017-18077 nodejs-chownr: TOCTOU vulnerability in chownr function in chownr.js...

CVE-2024-39334

MENDELSON AS4 before 2024 B376 has a client-side vulnerability when a trading partner provides prepared XML data. When a victim opens the details of this transaction in the client, files can be written to the computer on which the client process is running. The server process is not affected...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the mishandling of symlink destinations while evaluating template repos. An attacker can write to unintended files and potentially gain shell access on the server by creating out-of-repository...

CVE-2025-34414

Entrust Instant Financial Issuance IFI On Premise software formerly referred to as CardWizard versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled by default. The service registers a TCP remoting channel with...

TencentOS Server 4: git (TSSA-2025:0605)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0605 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

CVE-2025-44021

OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling if a deployment was performed via the API. A malicious project assigned as a node owner can provide a path to any local file readable by ironic-conductor, which may then be written to the target...

SQL Injection

Overview dbgpt is a DB-GPT is an experimental open-source project that uses localized GPT large models to interact with your data and environment. With this solution, you can beassured that there is no risk of data leakage, and your data is 100% private and secure. Affected versions of this packa...

PT-2024-20995 · Ruvaroa · Ruvaroa

Name of the Vulnerable Software and Affected Versions: RuvarOA versions 6.01 through 12.01 Description: Error messages in RuvarOA were discovered to leak the physical path of the website, specifically at the /WorkFlow/OfficeFileUpdate.aspx endpoint. This issue can allow attackers to write files t...

GHSA-MQ66-VCFC-8246 Mercurial Path Traversal/Link Following vulnerability

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository...