5 matches found
CVE-2026-38976
mrubyc through 3.4.1 was found to contain a NULL pointer dereference in src/vm.c in opsuper / OPSUPER due to a missing runtime guard for top-level super...
UBUNTU-CVE-2026-43620
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recvfiles in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CFINCRECURSE in compatibility flags and sending a...
curl: CURLOPT_HSTS_CTRL disables shared HSTS without share guard — use-after-free and double-free
Hi all, CURLOPTHSTSCTRL set to a value without CURLHSTSENABLE unconditionally frees the easy's HSTS object — even when that object is shared via a CURLSH. The result is a use-after-free and a double-free on the shared 48-byte struct hsts block when the share or any other linked easy is later torn...
CVE-2026-34732
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php...
CVE-2026-28216
CVE-2026-28216 affects Hoppscotch before 2026.2.0. The issue is an improper authorization check in the user environments flow: the updateUserEnvironment mutation uses GqlAuthGuard but lacks a @GqlUser() decorator, so the service can process only the environment ID (no ownership filter) and execut...