GHSA-2XF4-CG6J-VHGQ symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form

Description symfony/polyfill-intl-idn provides a userland implementation of idntoutf8 and idntoascii for runtimes that lack the intl extension. Its Idn::process method decodes labels prefixed with xn-- using Punycode but never enforces the validity criterion added in UTS 46 revision 33 Section 4...

CVE-2026-9078

Firefox for iOS displayed specially crafted right-to-left RTL and internationalized domain names IDNs incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This...

Linux Distros Unpatched Vulnerability : CVE-2026-46644

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form CVE-2026-46644 Note that Nessus relies ...

Incorrect Comparison

Overview Affected versions of this package are vulnerable to Incorrect Comparison in the process function in Idn.php, which does not necessarily treat xn-- labeled input as punycode, if it contains only ASCII. This case was overlooked in the specification until UTS 46 revision 33, when it was...

PT-2026-43074

Name of the Vulnerable Software and Affected Versions Firefox for iOS versions prior to 151.1 Description Firefox for iOS incorrectly displayed specially crafted right-to-left RTL and internationalized domain names IDNs within link preview UI surfaces. A crafted RTL hostname could visually reorde...

Astra Linux - уязвимость в curl

There is a vulnerability in the handling of certificate validation in curl v8.1.0, particularly in how wildcard patterns are matched when listed as “Subject Alternative Name” in TLS server certificates. Curls can be modified to use its own name matching function for TLS, rather than the one...

OPENSUSE-SU-2026:20698-1 Security update for c-ares

This update for c-ares fixes the following issue - CVE-2025-62408: use after free in readanswers bsc1254738. Changes for c-ares: - c-ares 1.35.6: Ignore Windows IDN Search Domains until proper IDN support is added Various bug fixes...

SUSE-SU-2026:21584-1 Security update for c-ares

This update for c-ares fixes the following issue - CVE-2025-62408: use after free in readanswers bsc1254738. Changes for c-ares: - c-ares 1.35.6: Ignore Windows IDN Search Domains until proper IDN support is added Various bug fixes...

JLSEC-2026-400

A vulnerability exists in curl 7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypasse...

JLSEC-2026-409

An improper certificate validation vulnerability exists in curl v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS...

JLSEC-2026-399

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure cleartext HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host nam...

Astra Linux – Vulnerability in Chromium

Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name...

SUSE-SU-2026:21181-1 Security update for nodejs24

This update for nodejs24 fixes the following issues: Update to version 24.14.1. Security issues fixed: - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. - CVE-2026-21716:...

BIT-NODE-MIN-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

BIT-NODE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

CVE-2026-21712

A flaw was found in Node.js. This vulnerability allows an attacker to cause a Denial of Service DoS by providing a malformed Internationalized Domain Name IDN to the url.format function. When processed, this malformed input triggers an internal error, causing the Node.js application to crash. Thi...

UBUNTU-CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

Linux Distros Unpatched Vulnerability : CVE-2026-21712

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN...