SUSE-SU-2026:20434-1 Security update for openCryptoki

This update for openCryptoki fixes the following issues: Upgrade openCryptoki to 3.26 jscPED-14609 Security fixes: - CVE-2026-22791: supplying malformed compressed EC public key can lead to heap corruption or denial-of-service bsc1256673. - CVE-2026-23893: Privilege Escalation or Data Exposure vi...

SUSE-SU-2026:20345-1 Security update for openCryptoki

This update for openCryptoki fixes the following issues: Upgrade openCryptoki to 3.26 jscPED-14609 Security fixes: - CVE-2026-22791: supplying malformed compressed EC public key can lead to heap corruption or denial-of-service bsc1256673. - CVE-2026-23893: Privilege Escalation or Data Exposure vi...

MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution

Description MagicLink stores serialized action objects in the magiclinks.action database column and deserializes them without integrity validation or class allowlisting in src/MagicLink.php and src/Actions/ResponseAction.php. An attacker with the ability to manipulate database records e.g., via S...

GHSA-R33W-FG8J-9C94 MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution

Description MagicLink stores serialized action objects in the magiclinks.action database column and deserializes them without integrity validation or class allowlisting in src/MagicLink.php and src/Actions/ResponseAction.php. An attacker with the ability to manipulate database records e.g., via S...

Sensitive Information Disclosure

Amazon SageMaker Python SDK is vulnerable to sensitive information disclosure. The vulnerability is due to the ModelBuilder HMAC signing key being returned in cleartext in the DescribeTrainingJob API response, which allows an attacker with API access and S3 output write permissions to upload...

CVE-2025-68621 Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC...

Trilium Notes 安全漏洞

Trilium Notes is a hierarchical note-taking application developed by Zadam, the individual developer of this project. It focuses on building large personal knowledge bases. Versions of Trilium Notes prior to 0.101.0 contained security vulnerabilities. These vulnerabilities stemmed from critical...

Security Bulletin: auth0/node-jws HS256 signature verification bypass via improper HMAC secret handling (≤3.2.2, 4.0.0)

Summary auth0/node-jws HS256 signature verification bypass due to improper HMAC secret handling versions ≤ 3.2.2 and 4.0.0 Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0,...

Insertion of Sensitive Information Into Sent Data

Overview sagemaker is an Open source library for training and deploying models on Amazon SageMaker. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the storage of HMAC keys and disclosure through the DescribeTrainingJob API. An attacker ca...

SageMaker Python SDK has Exposed HMAC

Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified. Impact - Function and Payload...

GHSA-RJRP-M2JW-PV9C SageMaker Python SDK has Exposed HMAC

Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified. Impact - Function and Payload...

CVE-2026-1777

The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output...

Amazon SageMaker Python SDK 安全漏洞

Amazon SageMaker Python SDK is a development toolkit provided by Amazon, Inc., for building, training, and deploying machine learning models. Versions of the Amazon SageMaker Python SDK prior to v3.2.0 and v2.256.0 contained security vulnerabilities. These vulnerabilities stemmed from the plainte...

PT-2026-5708

Name of the Vulnerable Software and Affected Versions Amazon SageMaker Python SDK versions prior to 3.2.0 Amazon SageMaker Python SDK versions prior to 2.256.0 Description The Amazon SageMaker Python SDK contains the ModelBuilder HMAC signing key in cleartext within the response elements of the...

Node.js: Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery

Vulnerability description not provided...

CVE-2026-22782

RustFS is a distributed object storage system built in Rust. From = 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret and expected signature, which exposes the secret to log readers and enables forged RPC calls. In...

CVE-2026-22782

RustFS is a distributed object storage system built in Rust. From = 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret and expected signature, which exposes the secret to log readers and enables forged RPC calls. In...

CVE-2026-22782

RustFS is a distributed object storage system built in Rust. From = 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret and expected signature, which exposes the secret to log readers and enables forged RPC calls. In...

CVE-2026-22782 RustFS RPC signature verification logs shared secret

RustFS is a distributed object storage system built in Rust. From = 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret and expected signature, which exposes the secret to log readers and enables forged RPC calls. In...

CVE-2026-22782 RustFS RPC signature verification logs shared secret

RustFS is a distributed object storage system built in Rust. From = 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret and expected signature, which exposes the secret to log readers and enables forged RPC calls. In...