CLSA-2026-1779493861 postgresql: Fix of 6 CVEs

CVE-2026-6473: use pallocarray in hstoreplperl/hstoreplpython to avoid integer overflow on 32-bit systems - CVE-2026-6474: guard pgstrftime callers against unsafe conditions and ensure null-terminated output to prevent format-string leak via crafted timezone names - CVE-2026-6475: prevent path...

CLSA-2026-1778768341 python: Fix of 4 CVEs

CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...

CLSA-2026-1778769563 python: Fix of 4 CVEs

CVE-2019-9740: reject control characters in HTTP URL paths in httplib.HTTPConnection.putrequest to prevent CRLF header injection - CVE-2019-18348: reject control characters in hostnames in httplib.HTTPConnection.init via a new validatehost helper to prevent CRLF header injection the glibc...

CLSA-2026-1775223681 python: Fix of CVE-2025-15367

CVE-2025-15367: reject control characters in POP3 commands to prevent command injection via newlines...

OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence...

EUVD-2019-0204

Malware in sbrugna...

EUVD-2023-35452

Malicious code in bioql PyPI...

EUVD-2023-32977

Malicious code in bioql PyPI...

Fedora: Security Advisory (FEDORA-2024-89014f5794)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Applying Security Engineering to Prompt Injection Security

This seems like an important advance in LLM security against prompt injection: Google DeepMind has unveiled CaMeL CApabilities for MachinE Learning, a new approach to stopping prompt-injection attacks that abandons the failed strategy of having AI models police themselves. Instead, CaMeL treats...

CVE-2021-47657

In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Ensure that objs is not NULL in virtiogpuarrayputfree If virtiogpuobjectshmeminit fails e.g. due to fault injection, as it happened in the bug report by syzbot, virtiogpuarrayputfree could be called with objs equal to...

Fedora 37 : php-Smarty (2022-d5fc9dcdd7)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-d5fc9dcdd7 advisory. 3.1.47 - 2022-09-14 Security - Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks 454 Fixed - Fixed use ...

Rails Without Derails: Thwarting Code Injection Attacks

...

Gitlab -- vulnerabilities

Gitlab reports: Execute environment stop actions as the owner of the stop action job Prevent code injection in Product Analytics funnels YAML SSRF via Dependency Proxy Denial of Service via sending a large glmsource parameter CIJOBTOKEN can be used to obtain GitLab session token Variables from...

PT-2024-37132 · WordPress · Wpstickybar

Name of the Vulnerable Software and Affected Versions: WpStickyBar WordPress plugin versions prior to 2.1.1 Description: The issue arises from the improper sanitization and escaping of a parameter before its use in a SQL statement via an AJAX action. This AJAX action is available to unauthenticat...

CVE-2023-41703

User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avo...

CVE-2023-41336 Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2...

Prevent injection of invalid entity ids for "autocomplete" fields

Impact Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. Affected applications are any that use: A custom querybuilder option to limit the valid results; AND An EntityType with 'autocomplete' = true or a custom...

Important: nerdctl

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send...

Code injection

The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, watchOS 9.6. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited...