UBUNTU-CVE-2026-39821

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode"xn--example-.com" incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna...

GHSA-V228-72C7-FX8J open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`

Summary src/utils/urlSafety.ts exposes isPublicHttpUrl / assertPublicHttpUrl, used to gate the MCP fetchWebContent tool against private-network targets. The check has two defects that together allow non-blind SSRF with the response body returned to the caller: 1. Bracketed IPv6 literals are never...

JLSEC-2026-417 libcurl did not check the server certificate of TLS connections done to a host specified as an IP...

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate...

RHCOS 1 : ruby193-ruby (RHSA-2013:1137)

The remote Red Hat Enterprise Linux CoreOS 1 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2013:1137 advisory. - ruby: hostname check bypassing vulnerability in SSL client CVE-2013-4073 Note that Nessus has not tested for this issue but has instead...

Astra Linux - уязвимость в mbedtls

Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtlssslsethostname...

Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Eclipse Jersey Race Condition (CVE-2025-68161)

Summary The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perfor...

CVE-2026-41060

WWBN AVideo is an open source video platform. In versions 29.0 and below, the isSSRFSafeURL function in objects/functions.php contains a same-domain shortcircuit lines 4290-4296 that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares on...

SillyTavern 代码问题漏洞

SillyTavern is a frontend interface for the SillyTavern open-source language model. Versions of SillyTavern prior to 1.17.0 had code vulnerabilities; these vulnerabilities stemmed from a hostname check that only matched literal dotted-decimal IPv4 addresses, which could lead to server-side reques...

Security Bulletin: Multiple vulnerabilities in IBM DevOps Release

Summary IBM DevOps Release 7.0.0.7 addresses multiple vulnerabilities. Vulnerability Details CVEID:CVE-2025-68161 DESCRIPTION: The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostNam...

PT-2026-21890

The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of strpos for substring-based hostname validation instead of strict host comparison in the ajax upload image function. This makes...

MiracleLinux 4 : axis-1.2.1-7.3.AXS4 (AXSA:2013-129:01)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2013-129:01 advisory. Apache AXIS is an implementation of the SOAP Simple Object Access Protocol submission to W3C. From the draft W3C specification: SOAP is a lightweight protocol...

MiracleLinux 7 : python-2.7.5-58.0.1.el7.AXS7 (AXSA:2017-2065:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2017-2065:01 advisory. tv4 - Tiny Validator for v4 JSON Schema JavaScript library packaged for setuptools easyinstall / pip. Use json-schema draft v4 to validate simple values and...

MiracleLinux 4 : axis-1.2.1-7.5.AXS4 (AXSA:2014-534:01)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2014-534:01 advisory. Description : Apache AXIS is an implementation of the SOAP Simple Object Access Protocol submission to W3C. From the draft W3C specification: SOAP is a...

EUVD-2016-1579

Malware in sbrugna...

EUVD-2021-22993

Malware in sbrugna...

EUVD-2020-28176

Malware in sbrugna...

EUVD-2009-3008

Malware in sbrugna...

Unity Linux 20.1070e Security Update: nodejs (UTSA-2025-680625)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-680625 advisory. Accepting arbitrary Subject Alternative Name SAN types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained...

EUVD-2024-0827

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2021-36377

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation. CVE-2021-36377 Note that Nessus relies on the...