Security update for python313

This update for python313 fixes the following issues: Update to v3.13.13 CVE-2025-13462: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined bsc1259611. CVE-2026-2297: cpython: incorrectly handled hook in FileLoader can lead to validation bypass bsc1259240...

Security update for python311

This update for python311 fixes the following issues: Updated to Python 3.11.15 CVE-2025-6075: If the value passed to os.path.expandvars is user-controlled a performance degradation is possible when expanding environment variables bsc1252974. CVE-2025-11468: header injection when folding a long...

SUSE-SU-2026:1349-1 Security update for python311

This update for python311 fixes the following issues: - Updated to Python 3.11.15 - CVE-2025-6075: If the value passed to os.path.expandvars is user-controlled a performance degradation is possible when expanding environment variables bsc1252974. - CVE-2025-11468: header injection when folding a...

RLSA-2026:7675 Important: nodejs24 security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Security update for python36

This update for python36 fixes the following issues: CVE-2025-13462: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined bsc1259611. CVE-2026-3479: python: improper resource argument validation can allow path traversal bsc1259989. CVE-2026-3644: incomplete contro...

SUSE-SU-2026:1345-1 Security update for python36

This update for python36 fixes the following issues: - CVE-2025-13462: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined bsc1259611. - CVE-2026-3479: python: improper resource argument validation can allow path traversal bsc1259989. - CVE-2026-3644: incomplete...

CVE-2026-33805

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

HTTP Header Injection

Overview @fastify/reply-from is a forward your HTTP request to another server, for fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for...

HTTP Header Injection

Overview @fastify/http-proxy is a proxy http requests, for Fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for routing, access control,...

CVE-2026-33805 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

CVE-2026-33805 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

CVE-2026-33805

@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them i...

CVE-2026-33805

CVE-2026-33805 affects @fastify/reply-from <= v12.6.1 and @fastify/http-proxy

curl: lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)

Summary: settransferurl in lib/http2.c validates the :scheme pseudo-header of PUSHPROMISE frames only when !viasslconn — a guard added by commit 2e8c922a to block non-TLS connections from accepting TLS-scheme pushes. The symmetric case was not addressed: over TLS, viasslconn is TRUE, the guard at...

CVE-2026-39971

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $SERVER'HTTPHOST' directly into the Message-ID SMTP header without validation, and the existing sanitization function serendipityisResponseClean is not...

CVE-2026-33806

Impact: Fastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped. This is a regression introduced in fastify = 5.3...

CVE-2026-40499

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's printgvars function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted...

CVE-2026-40499

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's printgvars function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted...

CVE-2026-40499

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's printgvars function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted...

CVE-2026-40499

Radare2