Always-Incorrect Control Flow Implementation

Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...

GHSA-XMJ9-7625-F634 Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache

Affected Components - DSF FHIR Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server with enabled bearer-token authentication or back-channel logout. - DSF BPE Server API v2 process plugins using FHIR client connections with configured OIDC authentication. Summa...

Data Sharing Framework is Missing Session Timeout for OIDC Sessions

Affected Components DSF FHIR Server with enabled OIDC authentication. DSF BPE Server with enabled OIDC authentication. Summary OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. Impact If...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by...

aero.m-click:mcpdf (>=0.2.3 <=0.2.10), ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.6.0.0) +20657 more potentially affected by CVE-2026-5588 via org.bouncycastle:bcpkix-jdk15on (>=1.49 <=1.70)

org.bouncycastle:bcpkix-jdk15on MAVEN version =1.49, =0.2.3, =4.4.0.0, =0.1.12, =0.1.2, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.3.0, =0.3.1-rc2 and more Source cves: CVE-2026-5588 Source advisory: OSV:GHSA-WG6Q-6289-32HP...

VeriCWEty: Embedding Enabled Line-Level CWE Detection in Verilog

Large Language Models LLMs have shown significant improvement in RTL code generation. Despite the advances, the generated code is often riddled with common vulnerabilities and weaknesses CWEs that can slip by untrained eyes. Attackers can often exploit these weaknesses to fulfill their nefarious...

EUVD-2026-22404

Microsoft Security Advisory CVE-2026-26171 – .NET Denial of Service Vulnerability...

EUVD-2026-22635

Microsoft Security Advisory CVE-2026-33116 – .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability...

Microsoft Security Advisory CVE-2026-33116 – .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in...

EUVD-2026-22562

Microsoft Security Advisory CVE-2026-32178 – .NET Spoofing Vulnerability...

GHSA-VMWF-M9C5-3JVC Microsoft Security Advisory CVE-2026-32178 – .NET Spoofing Vulnerability

Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in...

Serendipity has a Host Header Injection allows authentication cookie scoping to attacker-controlled domain in functions_config.inc.php

Summary The serendipitysetCookie function uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker can force authentication cookies — including session tokens and auto-login tokens — to be scoped to an attacker-controlled domain, facilitating session hijacking...

CVE-2026-23891

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting...

Vulnerabilities fixed in Microsoft Developer tools

Microsoft has fixed vulnerabilities in .NET, .NET Framework, Visual Studio and PowerShell. A malicious party can exploit the vulnerabilities to launch attacks that can lead to the following categories of damage: - Denial-of-Service DoS - Accessing sensitive data - Circumvention of a security...

CVE-2026-32178

A flaw was found in the .NET runtime System.Net.Mail in how email address data is parsed. Improper neutralization of special characters, specifically carriage return and line feed CR/LF sequences, may allow specially crafted email address input to be interpreted incorrectly. An attacker could...

CVE-2026-26171

A flaw was found in .NET. A remote attacker could exploit a vulnerability related to unsafe transforms in EncryptedXml. This could lead to a Denial of Service DoS, making the service unavailable, and a bypass of security features. Mitigation Mitigation for this issue is either not available or th...

CVE-2026-23666

A flaw was found in .NET Framework. An unauthorized attacker can exploit a race condition, which is a concurrent execution using shared resources with improper synchronization, to deny service over a network. This vulnerability can lead to a Denial of Service DoS for affected systems. Mitigation...

CVE-2026-32226

A flaw was found in .NET Framework. This vulnerability, a race condition, allows an unauthorized attacker to exploit improper synchronization when shared resources are concurrently executed. This can lead to a Denial of Service DoS over a network, making the affected system or application...

EUVD-2026-22363

Concurrent execution using shared resource with improper synchronization 'race condition' in .NET Framework allows an unauthorized attacker to deny service over a network...

CVE-2026-33116

Loop with unreachable exit condition 'infinite loop' in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network...