EUVD-2026-32881

In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43rx The firmware-controlled key index in b43rx can exceed the dev-key array size 58 entries. The existing B43WARNON is non-enforcing in production builds, allowing an...

CVE-2026-44775 Kavita: No authentication at /api/Reader/image

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...

ALSA-2026:19066 Moderate: openssl security update

OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength general-purpose cryptography library. Security Fixes: openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key CVE-2026-317...

Incorrect Type Conversion or Cast

Overview Affected versions of this package are vulnerable to Incorrect Type Conversion or Cast in the DiscoverKeys process. An attacker can cause the application to crash by providing a non-RSA key such as an EC key from a repository JWKS endpoint, which triggers a panic due to an unchecked type...

CVE-2026-31679

Summary: CVE-2026-31679 affects the Linux kernel openvswitch code. The vulnerability arises from improper validation of MPLS payload lengths in SET/SET_MASKED actions: openvswitch accepted OVS_KEY_ATTR_MPLS as a variable-sized payload, while action handling expects fixed-size MPLS data (struct ov...

CVE-2026-31790

Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process whi...

EUVD-2026-14380

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations e.g., verify and encryption to collapse to...

CVE-2026-4603

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations e.g., verify and encryption to collapse to...

CVE-2026-1490

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS PTR record spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it...

CVE-2026-1490 Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS PTR record spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it...

CVE-2026-1490

CVE-2026-1490 affects the WordPress plugin Spam protection, Anti-Spam and Firewall by CleanTalk (versions up to 6.71). The vulnerability is an authorization bypass via reverse DNS (PTR) spoofing in the checkWithoutToken function, allowing unauthenticated attackers to install and activate arbitrar...

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Handling of Syntactically Invalid Structure in Grafana (CVE-2025-22865)

Summary Grafana is used by IBM Storage Ceph as part of the dashboard to monitor the stats for each cluster. CVE-2025-22865 Vulnerability Details CVEID:CVE-2025-22865 DESCRIPTION: Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key i...

SUSE-SU-2025:4110-1 Security update for bind

This update for bind fixes the following issues: - CVE-2025-8677: DNSSEC validation fails if matching but invalid DNSKEY is found bsc1252378. - CVE-2025-40778: Address various spoofing attacks bsc1252379. - CVE-2025-40780: Cache-poisoning due to weak pseudo-random number generator bsc1252380...

EUVD-2005-3668

Malware in sbrugna...

CVE-2025-39889

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Check encryption key size on incoming connection This is required for passing GAP/SEC/SEM/BI-04-C PTS test case: Security Mode 4 Level 4, Responder - Invalid Encryption Key Size - 128 bit This tests the security...

Important: golang

Issue Overview: Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. CVE-2019-17596 Affected Packages:...

nodejs: process interuption due to invalid Public Key information in x509 certificates

A vulnerability has been identified in the Node.js, where an invalid public key is used to create an x509 certificate using the crypto.X509Certificate API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as...

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. Node.js suffers from a security vulnerability that stems from invalid public key information, which allows an attacker to force an interruption in application processing and be subject to a DoS attack...

SUSE CVE-2005-3671

The Internet Key Exchange version 1 IKEv1 implementation in Openswan 2 openswan-2 before 2.4.4, and freeswan in SUSE LINUX 9.1 before 2.041.5.4-1.23, allow remote attackers to cause a denial of service via 1 a crafted packet using 3DES with an invalid key length, or 2 unspecified inputs when...