EUVD-2026-31388

golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic...

EUVD-2026-31402

golang.org/x/crypto/ssh/agent: Invoking pathological inputs can lead to client panic...

CVE-2026-56779

MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and downloadurl parameters. Attackers with default workspace USER role can...

WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS

Calls to Action plugin before 2.5.1 for WordPress contains stored XSS caused by unsanitized input in open-tab parameter in wp-admin/edit.php and wp-cta-variation-id parameter in ab-testing-call-to-action-example/, letting remote attackers inject arbitrary web script or HTML, exploit requires...

Pinger 1.0 - Remote Code Execution

Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. id:...

CVE-2026-8658 OS Command Injection in Rapid7 InsightConnect Tcpdump Plugin

OS Command Injection vulnerability in Rapid7 InsightConnect Tcpdump Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the options or filter parameters due to insufficient input sanitization in shell command construction...

CVE-2026-8665

CVE-2026-8665 describes an OS command injection in the TR action of the Rapid7 InsightConnect Translate Plugin on Linux. The vulnerability arises from insufficient input sanitization in shell command construction, allowing remote attackers to execute arbitrary OS commands via the text or expressi...

EUVD-2026-38649

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with i...

EUVD-2026-38647

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with i...

[SECURITY] [DSA 6361-1] ffmpeg security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6361-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 22, 2026 https://www.debian.org/security/faq -...

EUVD-2026-38332

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search...

CVE-2026-8918

A permissive list of allowed inputs in ASUS Armoury Crate allows a local administrator to perform arbitrary memory read/write operations or cause a system crash BSOD by bypassing the validation mechanism.Refer to the ' Security Update for Armoury Crate App ' section on the ASUS Security Advisory...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Fixed NULL pointer dereferencing when printing devname When larbdev is NULL in the case I encountered, the node is incorrectly set as iommu = &iommu NUM, it will cause devicelinkadd to fail and the kernel to crash...

Astra Linux – Vulnerability in poppler, poppler-22

A floating-point exception in the PSStack::roll function of Poppler before version 25.04.0 can cause an application to crash when handling malformed inputs associated with INTMIN...

Astra Linux – Vulnerability in Python-Django

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uritoiri is susceptible to a potential Denial-of-Service DoS attack due to certain inputs containing a very large number of Unicode characters...

Astra Linux – Vulnerability in Python-Django

A issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files...

CVE-2026-54533

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, malicious algorithms can potentially access other algorithms input and output files. Version 5.0.0 fixes the issue. As a workaround, verify and restrict the algorithm containers that are allowed to...

CVE-2026-54533

vantage6 node (open-source infrastructure for privacy-preserving analysis) contains an Improper Access Control vulnerability prior to version 5.0.0 that could allow malicious algorithms to access other algorithms’ input and output files. Version 5.0.0 fixes the issue. As a workaround, verify and ...

postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write

A flaw was found in PostgreSQL. An integer overflow in multiple server features allows an unprivileged database user to cause an undersized memory allocation that leads to an out-of-bounds write. This issue allows an attacker to execute arbitrary code as the operating system user running the...

CVE-2026-12398

A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...