GHSA-V39H-62P7-JPJC vulnerabilities

Vulnerabilities for packages: arangodb, opensearch-dashboards, saf, wazuh-dashboard, keep-fips, wazuh-dashboard-fips, vitess, tileserver-gl, langfuse-fips, argo-workflows, prism, langfuse, keep, tileserver-gl-fips, opensearch-dashboards-fips, kibana...

CVE-2026-6322 vulnerabilities

Vulnerabilities for packages: arangodb, opensearch-dashboards, saf, wazuh-dashboard, keep-fips, wazuh-dashboard-fips, vitess, tileserver-gl, langfuse-fips, argo-workflows, prism, langfuse, keep, tileserver-gl-fips, opensearch-dashboards-fips, kibana...

CVE-2026-6321 vulnerabilities

Vulnerabilities for packages: arangodb, opensearch-dashboards, saf, wazuh-dashboard, keep-fips, wazuh-dashboard-fips, vitess, tileserver-gl, langfuse-fips, argo-workflows, prism, langfuse, keep, tileserver-gl-fips, opensearch-dashboards-fips, kibana...

OESA-2026-2276 python-python-multipart security update

A streaming multipart parser for Python Security Fixes: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options UPLOADDIR and UPLOADKEEPFILENAME=True. An attacker can write uploaded...

GHSA-PP6C-GR5W-3C5G vulnerabilities

Vulnerabilities for packages: keep-fips, synapse, wazuh-manager-fips, litellm, lmcache-cuda-12.8, reflex, airflow, semgrep, wazuh-manager, keep, airflow-core...

GHSA-2H4P-VJRC-8XPQ vulnerabilities

Vulnerabilities for packages: keep-fips, reflex, airflow, pgadmin4, pgadmin4-fips, mlflow-fips, keep, airflow-core...

CVE-2026-42561 vulnerabilities

Vulnerabilities for packages: keep-fips, synapse, wazuh-manager-fips, litellm, lmcache-cuda-12.8, reflex, airflow, semgrep, wazuh-manager, keep, airflow-core...

CVE-2026-44307 vulnerabilities

Vulnerabilities for packages: keep-fips, reflex, airflow, pgadmin4, pgadmin4-fips, mlflow-fips, keep, airflow-core...

EUVD-2026-26712

Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate Content-Length header...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: Staging: vchiqarm – Fixed potential NPR of the keep-alive thread. In the event that vchiqplatformconnstatechanged is never called or fails before driver removal, kathread will not be a valid pointer to a taskstruct. Therefore,...

Astra Linux – Vulnerability in Puma

Puma is an HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted; it did not prevent new connections from being blocked by greedy persistent-connections that saturated all threads ...

CVE-2026-39805

Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':getcontentlength/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request...

EUVD-2026-24498

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat method uses a blocking channel send while holding a mutex, and under specific timin...

curl: CVE-2026-6429: netrc credential leak with reused proxy connection

Summary: libcurl can leak .netrc-derived host Authorization credentials across redirected hosts when an HTTP proxy connection is reused. In the PoC, .netrc contains credentials only for a.test, but after a.test redirects to b.test and then c.test over the same keep-alive proxy connection, libcurl...

GHSA-5GQC-QHRJ-9XW8 Oxia affected by server crash via race condition in session heartbeat handling

Summary A race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close calls, this can lead to either a...

curl: Negotiate Authentication Premature on Connection Reuse

Summary: Curl 8.19.0+ inappropriately sends Negotiate authentication headers on reused keep-alive connections where authentication was already completed. Commit ab650379a8 June 2025 moved negotiate auth context to on-demand metadata storage, but during connection reuse the metadata gets cleared...

Security update for osslsigncode (critical)

openSUSE Security Update: Security update for osslsigncode Announcement ID: openSUSE-SU-2026:0116-1 Rating: critical References: 1260680 Cross-References: CVE-2025-70888 Affected Products: openSUSE Backports SLE-15-SP7 An update that fixes one vulnerability is now available. Description: This...

SUSE CVE-2026-34441

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread...

Linux Distros Unpatched Vulnerability : CVE-2026-34441

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the static file handler when it serves GET responses without consuming the request body. An attacker can inject and have the server process unintended HTTP requests by embedding arbitrary HTTP requests inside...