EUVD-2026-33000

Music Player Daemon MPD before version 0.24.11 contains a stack buffer overflow vulnerability in the pcmunpack24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD...

CVE-2026-49127

Music Player Daemon MPD before version 0.24.11 contains a stack buffer overflow vulnerability in the pcmunpack24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD...

CVE-2026-49127

Music Player Daemon MPD before version 0.24.11 contains a stack buffer overflow vulnerability in the pcmunpack24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD...

GHSA-7J6W-VVW2-5F9C OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Impact In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity...

HTTP Request Smuggling

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Request Smuggling via the app.mount function. An attacker can access unintended routes or resources by sending requests with percent-encoded multi-byte characters in the URL path,...

USN-8343-1: multipart vulnerability

It was discovered that multipart had an ambiguous regular expression alternation when handling certain HTTP header values. A remote attacker could possibly use this issue to cause multipart to use excessive resources, leading to a denial of service...

CVE-2026-45310 CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetchurl tool validates the initial URL's resolved IP address against a restricted-IP blocklist isrestrictedip to prevent SSRF attacks against internal services cloud metadata endpoints, localhost, private networks...

CVE-2026-45310 CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetchurl tool validates the initial URL's resolved IP address against a restricted-IP blocklist isrestrictedip to prevent SSRF attacks against internal services cloud metadata endpoints, localhost, private networks...

EUVD-2026-32964

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetchurl tool validates the initial URL's resolved IP address against a restricted-IP blocklist isrestrictedip to prevent SSRF attacks against internal services cloud metadata endpoints, localhost, private networks...

SUSE-SU-2026:21915-1 Security update for helm

This update for helm fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265758. - CVE-2026-41888: github.com/distribution/distribution/v3: tag deletion bypasses the storage.delete.enabled configuration...

python3.12 security update

An update is available for python3.12. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Python is an interpreted, interactive, object-oriented programming languag...

CVE-2026-48522 PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

USN-8338-1 apache2 vulnerabilities

It was discovered that Apache HTTP Server incorrectly handled certain response headers. An attacker could possibly use this issue to perform HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS. CVE-2023-38709 Will Dormann and David Warren discovered that Apache HTTP Server'...

CVE-2026-48902

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set...

CLSA-2026-1779968889 Fix of 7 CVEs

SECURITY UPDATE: Authentication Bypass in digest authentication - debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest - CVE-2026-43512 SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names -...

SUSE-SU-2026:2103-1 Security update for apache2

This update for apache2 fixes the following issues - CVE-2026-23918: http2: double free and possible RCE on early reset bsc1263957. - CVE-2026-24072: modrewrite elevation of privileges via apexpr bsc1263935. - CVE-2026-28780: heap buffer overflow in modproxyajp via ajpmsgcheckheader bsc1264163. -...

CVE-2026-42578

A flaw was found in Netty. The HttpProxyHandler component, which handles HTTP CONNECT requests, does not properly validate user-provided outbound headers. This allows an attacker to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This could lead to unexpected...

CVE-2026-42581

A flaw was found in Netty's HttpObjectDecoder. A remote attacker can exploit this by sending a specially crafted HTTP/1.0 request that includes both Transfer-Encoding: chunked and Content-Length headers. While Netty correctly strips the conflicting Content-Length header for HTTP/1.1 messages, thi...

CVE-2026-9813

FlowIntel up to version 3.3.0 contains a server-side request forgery SSRF vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specifi...

CVE-2026-9813

FlowIntel up to version 3.3.0 contains a server-side request forgery SSRF vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specifi...