CVE-2026-43322

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: Fix UAF in lereadfeaturescomplete This fixes the following backtrace caused by hciconn being freed before lereadfeaturescomplete but after hcilereadremotefeaturessync so hciconndel - hcicmdsyncdequeue is not...

CVE-2026-43322

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: Fix UAF in lereadfeaturescomplete This fixes the following backtrace caused by hciconn being freed before lereadfeaturescomplete but after hcilereadremotefeaturessync so hciconndel - hcicmdsyncdequeue is not...

CLSA-2026-1778157268 dnsmasq: Fix of CVE-2022-0934

CVE-2022-0934: Fix write-after-free in DHCPv6 relay handling that could be triggered by a crafted packet, leading to denial of service - rfc3315: fix bad reply to DHCPCONFIRM messages wrong message type - rfc3315: fix integer underflow and heap overflow in log6opts STATUSCODE - rfc3315: fix...

GHSA-PJ6P-9P8X-5MFC Alkacon OpenCms is vulnerable to XXE when the <!DOCTYPE> refers to an external host

Alkacon OpenCms before 16 allows XXE when the refers to an external host...

CVE-2026-42273

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

CVE-2026-42271

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

CVE-2026-42275 zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend davServer.Dir restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a...

CVE-2026-42273 Heimdall: Case-sensitive host matching may lead to policy bypass

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

CVE-2026-42273

CVE-2026-42273 affects Heimdall (cloud native Identity Aware Proxy and Access Control Decision service). Prior to version 0.17.14, host matching is case-sensitive while HTTP hostnames are case-insensitive, which can cause a request to be classified differently than intended and potentially bypass...

CVE-2026-42273 Heimdall: Case-sensitive host matching may lead to policy bypass

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

EUVD-2026-28509

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

CVE-2026-42273

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

CVE-2026-42203

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the...

CVE-2026-42271 LiteLLM: Authenticated command execution via MCP stdio test endpoints

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

EUVD-2026-28507

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

CVE-2026-42271

Summary: CVE-2026-42271 affects LiteLLM up to v1.83.7, where two MCP preview endpoints (POST /mcp-rest/test/connection and /tools/list) could spawn arbitrary commands via stdio transport when provided a full server config, restricted only by a valid API key. The subprocess ran with the proxy’s pr...

CVE-2026-42271 LiteLLM: Authenticated command execution via MCP stdio test endpoints

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

SUSE CVE-2026-23926

An authenticated non-super administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens th...

SUSE CVE-2026-23928

The Item history widget in Zabbix 7.0+ or the Plain text widget in Zabbix 6.0 can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would...

PT-2026-38918

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions prior to 4.20.3.0 Apache CloudStack versions prior to 4.22.0.1 Description Account users can register templates for direct download to primary storage when deploying instances using the KVM hypervisor. Due to missing...