Important: python3

Issue Overview: Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. CVE-2026-4786 Use-after-free UAF wa...

Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload

Summary A remote, unauthenticated denial-of-service vulnerability in Batch.Decompress data/batch/batch.go allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is...

BIT-PYTHON-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure

Use-after-free UAF was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling...

The vulnerabilities of the functions module_gzip_decompress() and module_xz_decompress() in the kernel/module/decompress.c module of the Linux operating system’s kernel module loading subsystem allow a hacker to cause a service failure.

The vulnerability of the functions modulegzipdecompress and modulexzdecompress in the kernel/module/decompress.c module of the Linux operating system’s kernel module loading subsystem is related to improper checking of error values for pointers. Exploiting this vulnerability could allow an attack...