CVE-2026-42275 zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend davServer.Dir restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a...

CVE-2026-42273 Heimdall: Case-sensitive host matching may lead to policy bypass

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

CVE-2026-42273

CVE-2026-42273 affects Heimdall (cloud native Identity Aware Proxy and Access Control Decision service). Prior to version 0.17.14, host matching is case-sensitive while HTTP hostnames are case-insensitive, which can cause a request to be classified differently than intended and potentially bypass...

CVE-2026-42273 Heimdall: Case-sensitive host matching may lead to policy bypass

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

EUVD-2026-28509

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

CVE-2026-42273

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host...

CVE-2026-42203

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the...

CVE-2026-42271 LiteLLM: Authenticated command execution via MCP stdio test endpoints

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

EUVD-2026-28507

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

CVE-2026-42271

Summary: CVE-2026-42271 affects LiteLLM up to v1.83.7, where two MCP preview endpoints (POST /mcp-rest/test/connection and /tools/list) could spawn arbitrary commands via stdio transport when provided a full server config, restricted only by a valid API key. The subprocess ran with the proxy’s pr...

CVE-2026-42271 LiteLLM: Authenticated command execution via MCP stdio test endpoints

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration i...

SUSE CVE-2026-23926

An authenticated non-super administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens th...

SUSE CVE-2026-23928

The Item history widget in Zabbix 7.0+ or the Plain text widget in Zabbix 6.0 can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would...

PT-2026-39110

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A slab-out-of-bounds issue exists in the nvme-pci component. The problem occurs in the nvme dbbuf set function due to an incorrect loop condition. The dev-online queues variable tracks t...

Electerm 参数注入漏洞

Electerm is a SSH/SFTP client developed by ZXDong262 from China, based on Electron. Versions of Electerm 3.8.15 and earlier have a parameter injection vulnerability. This vulnerability arises from the fact that the terminal hyperlink processor does not validate URLs with respect to protocols. Thi...

CVE-2023-42346

Alkacon OpenCms before 16 allows XXE when the refers to an external host...

PT-2026-38918

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions prior to 4.20.3.0 Apache CloudStack versions prior to 4.22.0.1 Description Account users can register templates for direct download to primary storage when deploying instances using the KVM hypervisor. Due to missing...

PT-2026-39058

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory leak exists in the samsung dsim host attach function. When drm bridge add is called to add the bridge, a failure in samsung dsim register te irq or pdata-host ops-attach causes...

PT-2026-39076

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A race condition exists in the ufshcd wl suspend function. The cancel delayed work sync call is positioned after ufshcd vops suspend, allowing ufshcd rtc work to run while ufshcd vops...

Linux Distros Unpatched Vulnerability : CVE-2026-41506

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentia...