Updated perl-Net-CIDR-Lite packages fix security vulnerabilities

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. CVE-2026-40198 Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. CVE-2026-40199...

CVE-2026-33975

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

CVE-2026-5081

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId added in version 1.54 uses the value of the UNIQUEID environment variable for the session id. The UNIQUEID variable is set by the Apache moduniqueid...

CVE-2026-5081 Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure

Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId added in version 1.54 uses the value of the UNIQUEID environment variable for the session id. The UNIQUEID variable is set by the Apache moduniqueid...

CVE-2026-43099

In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmpbuildprobe ipv6stub-ipv6devfind may return ERRPTR-EAFNOSUPPORT when the IPv6 stack is not active CONFIGIPV6=m and not loaded, and passing this error pointer to devhold will cause a kernel cra...

SUSE CVE-2026-43036

In the Linux kernel, the following vulnerability has been resolved: net: use skbheaderpointer for TCPv4 GSO fragoff check Syzbot reported a KMSAN uninit-value warning in gsofeaturescheck called from netifskbfeatures 1. gsofeaturescheck reads iph-fragoff to decide whether to clear mangleidfeatures...

Apache::Session::Generate::ModUniqueId 安全漏洞

Apache::Session::Generate::ModUniqueId is a session ID generation module developed by RRWO’s individual developers. There are security vulnerabilities in the version 1.54 to 1.94 of Apache::Session::Generate::ModUniqueId. These vulnerabilities stem from the use of the UNIQUEID environment variabl...

RHCOS 4 : OpenShift Container Platform 4.3.25 containernetworking-plugins (RHSA-2020:2443)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:2443 advisory. - containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters CVE-2020-10749 Note that Nessus has not...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the isSSRFSafeURL function. An attacker can access internal network resources and sensitive cloud metadata by submitting specially crafted URLs that use IPv4-mapped IPv6 notation, which bypasses the...

GHSA-J4RJ-2JR5-M439 ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs

Summary ssrfcheck v1.3.0 latest fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to...

CVE-2026-33975 twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

CVE-2026-33975 twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

PT-2026-37221

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

PT-2026-37306

Name of the Vulnerable Software and Affected Versions ssrfcheck versions 1.3.0 and earlier Description ssrfcheck fails to block Server-Side Request Forgery SSRF attacks when a target private IP address is encoded as an IPv4-mapped IPv6 address e.g., 'http://::ffff:127.0.0.1/'. This occurs because...

RHCOS 4 : OpenShift Container Platform 4.14.35 (RHSA-2024:5436)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5436 advisory. - golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm CVE-2023-45290 -...

RHCOS 4 : OpenShift Container Platform 4.15.28 (RHSA-2024:5442)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5442 advisory. - golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm CVE-2023-45290 -...

Astra Linux – Vulnerability in Linux

In the Linux kernel before version 5.11.14, there is a use-after-free issue in the cipsov4genopt module, located in net/ipv4/cipsoipv4.c. This issue arises due to improper handling of the CIPSO and CALIPSO reference counts related to DOI definitions. As a result, an arbitrary value is written to...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: net: vxlan: Prevent NULL dereferencing in vxlanxmitone. Neither sock4 nor sock6 pointers are guaranteed to be non-NULL in vxlanxmitone, especially if the iface is disabled. This can lead to the following NULL dereferences: -...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: net: ipv4: fixed the issue where deleting routes with a nexthop object triggered a warning. The FRR team encountered a kernel warning1 while deleting routes2. This issue occurred when attempting to delete a route that pointed ...

Astra Linux – Vulnerability in Linux, Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: net: fixed a use-after-free in twtimerhandler A real-world panic issue was discovered in Linux 5.4. The details of the issue are as follows: - Bug: Unable to handle a page fault for the address: ffffde49a863de28 - Memory layout:...