PT-2026-45061

Summary The Platform server exposes resources under /api/v1/workspaces/workspace id/... and protects them with a require workspace memberworkspace id FastAPI dependency. The dependency only checks that the caller is a member of the workspace id in the URL prefix. The route handlers then look up t...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: pfifotailenqueue: Drop a new packet when sch-limit == 0 Expected behavior: If the scheduler’s limit is reached, pfifotailenqueue will drop a packet from the scheduler’s queue and decrease the scheduler’s qlen by one. Then,...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: cgroup: Split cgroupdestroywq into 3 workqueues A hang can occur during 1 LTP cgroup testing when repeatedly mounting/unmounting perfevent and netprio controllers with systemd.unifiedcgrouphierarchy=1. The hang manifests in...

Astra Linux - уязвимость в xorg-server

A flaw was discovered in the X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can lead to a heap buffer overflow condition, which may result in an application...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: net: shaper: Protection against late creation of hierarchies. We retrieve a netdev object during the preparation of Netlink operations before callbacks. We then take a reference to it. Later, within the body of the callback, we...

Astra Linux - уязвимость в linux-5.10, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: UDF: Detection of system inodes linked into the directory hierarchy When the UDF filesystem is corrupted, hidden system inodes may be linked into the directory hierarchy. This can lead to further serious corruption of the...

Malicious code in @antv/hierarchy (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

1g6table (=0.1.0), 7qb (=0.0.17) +1703 more potentially affected by unknown CVE via @antv/hierarchy (>=0.1.2 <=0.7.1)

@antv/hierarchy NPM version =0.1.2, =1.1.0, =0.1.1, =0.1.1, =0.1.0, =0.0.2, =0.1.2, =1.1.43, =5.0.48, =0.1.0, =0.5.0-alpha.0, =0.1.0, =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4027...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

SUSE-SU-2026:21591-1 Security update for the Linux Kernel (Live Patch 3 for SUSE Linux Enterprise 16)

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.8.1 fixes various security issues The following security issues were fixed: - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI bsc1252048. - CVE-2025-71066: net/sched: ets: Always remove class from active list before...

Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

Summary AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking whether the requesting user has viewAssets or viewPeerAssets permission ...

SUSE-SU-2026:21563-1 Security update for the Linux Kernel (Live Patch 2 for SUSE Linux Enterprise 16)

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.7.1 fixes various security issues The following security issues were fixed: - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI bsc1252048. - CVE-2025-71066: net/sched: ets: Always remove class from active list before...

SUSE-SU-2026:21562-1 Security update for the Linux Kernel (Live Patch 1 for SUSE Linux Enterprise 16)

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.6.1 fixes various security issues The following security issues were fixed: - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI bsc1252048. - CVE-2025-71066: net/sched: ets: Always remove class from active list before...

PT-2026-38287

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.17 Description The actionShowInFolder function within the AssetsController fetches an asset by ID and returns its filename and complete folder hierarchy, including volume handle, volume UID, folder name...

SUSE-SU-2026:21520-1 Security update for the Linux Kernel RT (Live Patch 7 for SUSE Linux Enterprise 16)

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.28.1 fixes various security issues The following security issues were fixed: - CVE-2026-23437: net: shaper: protect late read accesses to the hierarchy bsc1261845. - CVE-2026-31406: xfrm: Fix work re-schedule after cancel in...

Astra Linux - уязвимость в linux-5.10, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: irqchip/qcom-mpm: This issue prevents crashes when attempting to handle non-wake GPIOs. On Qualcomm chipsets, not all GPIOs are wake-up capable. These GPIOs do not have a corresponding MPM pin and should not be handled within the...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: fbdev: Fixed the issue of unregistering framebuffers without a device. Framebuffers in OF do not have a underlying device in the Linux device hierarchy. Instead of hot-unplugging such non-existent devices, a regular unregister...

CVE-2026-5941 Foxit PDF Editor/Reader AcroForm Signature Remote Code Execution Vulnerability

Parsing logic flaws cause non-signature data to be misidentified as valid signatures when processing malformed form field hierarchies, leading to invalid memory writes and program crashes during internal data structure construction...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013796)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013796 advisory. In the Linux kernel, the following vulnerability has been resolved: udf: Detect system inodes linked into directory hierarchy When UDF filesystem is corrupted, hidde...

PT-2026-34435

In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix use after free of parent port in cxl detach ep cxl detach ep is called during bottom-up removal when all CXL memory devices beneath a switch port have been removed. For each port in the hierarchy it locks both the...