UBUNTU-CVE-2026-43869

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

CVE-2026-43869 Apache Thrift: TSSLTransportFactory.java hostname verification

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

CVE-2026-43869

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

CVE-2026-43869

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

CVE-2026-43869

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

Johnson Controls CEM AC2000

ADVISORY SUMMARY Successful exploitation of this vulnerability could allow a standard user to escalate privileges on the host machine. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for...

PT-2026-36996

Name of the Vulnerable Software and Affected Versions fast-uri versions prior to 3.1.2 Description The normalize function decoded percent-encoded authority delimiters within the host component and re-emitted them as raw delimiters during serialization. This allows a host combining an allowed...

PT-2026-37269

Name of the Vulnerable Software and Affected Versions Kubewarden versions prior to 1.35.0 Description An attacker with permissions to create AdmissionPolicy or AdmissionPolicyGroup can craft a policy using the can i host callback to enumerate RBAC permissions of any user or service account across...

PT-2026-36985

Name of the Vulnerable Software and Affected Versions Apache Thrift versions prior to 0.23.0 Description Improper validation of certificates with host mismatch occurs in Apache Thrift. Recommendations Upgrade to version 0.23.0...

Linux Distros Unpatched Vulnerability : CVE-2026-42146

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nbcolors field read from the BMP file header is used directly to compute an...

PT-2026-37304

Name of the Vulnerable Software and Affected Versions Link Preview JS versions prior to 4.0.1 Description The library fails to check for IPv6 loopback attacks and is susceptible to DNS attacks where an address can be resolved into an internal IP. These issues may lead to internal data leaks...

ALSA-2026:13671 Important: image-builder security update

A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood. Security Fixes: net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 For more details about the security issues, including the impact, a CVSS score,...

Linux Distros Unpatched Vulnerability : CVE-2026-31760

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - gpib: lpvousb: fix memory leak on disconnect The driver iterates over the registered USB interfaces during GPIB attach and takes a reference to their USB device...

openssh security update

8.0p1-29.0.1 - Update upstream references Orabug: 36587718 8.0p1-29 - CVE-2026-35385: Fix privilege escalation via scp legacy protocol when not in preserving file mode Resolves: RHEL-164743 - CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode multiplexing sessions Resolves:...

fast-uri 安全漏洞

fast-uri is an open-source, dependency-free RFC 3986 URI parser and toolkit developed by Fastify. Versions of fast-uri 3.1.1 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the normalize function decoding percent-encoded permission separators within the host...

ALSA-2026:13642 Important: image-builder security update

A local binary for building customized OS artifacts such as VM images and OSTree commits. Uses osbuild under the hood. Security Fixes: net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 For more details about the security issues, including the impact, a CVSS score,...

AlmaLinux 9 : image-builder (ALSA-2026:13671)

The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2026:13671 advisory. net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 Tenable has extracted the preceding description block directly from the AlmaLinux...

next: Next.js Server-Side Request Forgery in Server Actions

A Server-Side Request Forgery SSRF vulnerability was identified in Next.js Server Actions. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required...

GHSA-GV7R-3MR9-H5X8 AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass

Summary The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When th...

Weak Password Recovery Mechanism for Forgotten Password

Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the ApplyXForwarded process. An attacker can gain unauthorized access to user accounts and bypass two-factor authentication by injecting a malicious X-Forwarded-Host header...