nodejs:22 security update

An update is available for nodejs, module.nodejs-packaging, nodejs-packaging, module.nodejs, nodejs-nodemon, module.nodejs-nodemon. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

PT-2026-31715

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run ...

PT-2026-31626

Name of the Vulnerable Software and Affected Versions DicomStreamReader affected versions not specified Description An out-of-bounds read issue exists in DicomStreamReader when parsing DICOM meta-headers. Processing malformed metadata structures can cause the parser to read beyond the allocated...

Linux Distros Unpatched Vulnerability : CVE-2026-5437

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An out-of-bounds read vulnerability exists in DicomStreamReader during DICOM meta-header parsing. When processing malformed metadata structures, the parser may...

ALSA-2026:7350 Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion...

Orthanc 安全漏洞

Orthanc is a free open-source software developed by the Orthanc company. Orthanc has a security vulnerability, which stems from the HTTP server’s unlimited use of the Content-Length header, leading to a memory exhaustion issue. This vulnerability may cause excessive memory allocation and...

RockyLinux 9 : nodejs:24 (RLSA-2026:7350)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:7350 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion...

Apollo MCP Server 访问控制错误漏洞

The Apollo MCP Server is an open-source service from Apollo GraphQL that exposes GraphQL operations as AI tools. Versions of the Apollo MCP Server prior to 1.7.0 contained a access control vulnerability. This vulnerability stemmed from the lack of validation of the Host header in incoming HTTP...

PT-2026-31629

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the Content-Length header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large Content-Length val...

Python Library Django 4.2.x < 4.2.30 / 5.2.x < 5.2.13 / 6.0.x < 6.0.4 Multiple Vulnerabilities

The detected version of the Django Python package is 4.2.x prior to 4.2.30, 5.2.x prior to 5.2.13, or 6.0.x prior to 6.0.4. It is, therefore, affected by multiple vulnerabilities, including: - ASGIRequest allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header...

Linux Distros Unpatched Vulnerability : CVE-2026-5440

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the Content-Length header. The server allocates memory directly based on the...

Linux Distros Unpatched Vulnerability : CVE-2026-29181

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value...

RHEL 9 : nodejs:24 (RHSA-2026:7350)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7350 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

SUSE CVE-2026-33034

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...

CVE-2026-39411

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

Server-side Request Forgery (SSRF)

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the instance-URL header in multi-tenant HTTP mode. An authenticated attacker can cause the server to issue HTT...

CVE-2026-39411 LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

CVE-2026-39411 LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

CVE-2026-39411

CVE-2026-39411 (LobeHub) describes an unauthenticated authentication bypass on the webapi routes via a forgeable, client-controlled X-lobe-chat-auth header. Before version 2.1.48, the webapi authentication layer trusts an XOR-obfuscated header (hardcoded key: “LobeHub · LobeHub”) and treats decod...