Security Bulletin: node-forge-1.3.1.tgz, IBM Sterling Connect:Direct Web Services is affected by bypass downstream cryptographic verifications and security decisions.

Summary node-forge-1.3.1.tgz is used by IBM Sterling Connect:Direct Web Services CVE-2025-12816, CVE-2025-66030, CVE-2025-66031 . Vulnerability Details CVEID:CVE-2025-12816 DESCRIPTION: An interpretation-conflict CWE-436 vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticat...

PT-2026-44985

NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to 0.24.14, aio-prov data is stored as nni quic conn during dialing, but read as ex quic conn during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This...

CVE-2025-71304

A flaw was found in the Linux kernel's Smack module. A local user with privileges to modify Smack's Domain of Interpretation DOI values could cause a denial of service. By writing a previously used DOI value to /smack/doi, networking for non-ambient labels becomes disabled. This prevents network...

CVE-2026-46175

A flaw was found in the Linux kernel's f2fs filesystem. During Foreground Garbage Collection FGGC of node blocks, the system fails to properly clear internal metadata marks. This can lead to filesystem inconsistencies, where the fsck utility may misinterpret the state of migrated data. A local us...

Interpretation Conflict

Overview @hapi/content is a HTTP Content- headers parsing Affected versions of this package are vulnerable to Interpretation Conflict due to inconsistent handling of duplicate parameters in the Content.disposition and Content.type functions. An attacker can bypass upload filename allowlists or...

CVE-2026-47076

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

EUVD-2026-31689

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

PT-2026-43072

Name of the Vulnerable Software and Affected Versions benoitc hackney versions 0.13.0 through 4.0.0 Description An interpretation conflict allows Server Side Request Forgery SSRF, a flaw where an attacker can induce the server to make requests to an unintended location. The function hackney...

Interpretation Conflict

Overview symfony/html-sanitizer is a Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM. Affected versions of this package are vulnerable to Interpretation Conflict via URL parsing and policy enforcement in UrlSanitizer/UrlAttributeSanitizer...

Astra Linux - уязвимость в linux

In the Linux kernel before version 5.11.14, there is a use-after-free issue in the cipsov4genopt module, located in net/ipv4/cipsoipv4.c. This issue arises due to improper handling of the CIPSO and CALIPSO reference counts related to DOI definitions. As a result, an arbitrary value is written to...

Astra Linux - уязвимость в rustc

The library/std/src/net/parser.rs file in Rust before version 1.53.0 does not properly handle zero characters at the beginning of an IP address string. In some cases, this allows attackers to bypass access controls based on IP addresses due to incorrect octal interpretation of those zero characte...

ROS-20260513-73-0005

An interpretation conflict vulnerability in rubygem-rack. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

Interpretation Conflict

Overview next is a react framework. Affected versions of this package are vulnerable to Interpretation Conflict via improper handling of shared cache entries for React Server Component responses. An attacker can cause unintended component payloads to be served to other users by manipulating share...

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the parsing of Git objects with malformed or ambiguous commit or tag objects. An attacker can cause inconsistent interpretation of object metadata or signature validation by...

EUVD-2026-28898

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in...

Interpretation Conflict

Overview Affected versions of this package are vulnerable to Interpretation Conflict via the getMethod function. An attacker can perform unauthorized actions by sending crafted HTTP requests that override the intended HTTP method, potentially bypassing middleware restrictions and escalating...

Interpretation Conflict

Overview fast-uri is a Dependency-free RFC 3986 URI toolbox Affected versions of this package are vulnerable to Interpretation Conflict during the decoding of URL host component. An attacker can manipulate the authority component of a URI by supplying percent-encoded delimiters, causing the host ...

Interpretation Conflict

Overview org.webjars.npm:fast-uri is a Dependency-free RFC 3986 URI toolbox Affected versions of this package are vulnerable to Interpretation Conflict during the decoding of URL host component. An attacker can manipulate the authority component of a URI by supplying percent-encoded delimiters,...

Astra Linux - уязвимость в python3.11, python3.7

When an address list is folded, and the separating comma ends up on a folded line that needs to be encoded using Unicode, then the separator itself must also be encoded using Unicode. The expected behavior is that the separating comma remains a plain comma. However, this can lead to the address...

Security Bulletin: Watsonx.data Input Interpretation Vulnerability Could Enable Improper External Service Access

Summary Watonx.data could allow an authenticated user to interact with external services improperly due to interpretation conflicts of user supplied input. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-36141 DESCRIPTION: IBM Lakehouse could allow an authenticated user to...