OPENSUSE-SU-2026:20003-1 Security update of valkey

This update for valkey fixes the following issues: Update to 8.0.6: - Security fixes: - CVE-2025-49844: Fixed that a Lua script may lead to remote code execution bsc1250995 - CVE-2025-46817: Fixed that a Lua script may lead to integer overflow and potential RCE bsc1250995 - CVE-2025-46818: Fixed...

CVE-1999-0747

Denial of service in BSDi Symmetric Multiprocessing SMP when an fstat call is made when the system has a high CPU load...

Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading

Summary A critical arbitrary code execution vulnerability exists in HuggingFace Transformers' Trainer class. The loadrngstate method at src/transformers/trainer.py:3059 calls torch.load without the weightsonly=True parameter. While a safeglobals context manager wraps this call, it provides no...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000327)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000327 advisory. An issue was discovered in drmloadedidfirmware in drivers/gpu/drm/drmedidload.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which migh...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000353)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000353 advisory. In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfsrq's, which allows attackers to cause a denial of service infinite loop in...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000414)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000414 advisory. Microarchitectural Load Port Data Sampling MLPDS: Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000502)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000502 advisory. In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blkmqtagset in dev remove after table load fails When loading a...

CVE-2025-66838

The CVE describes an issue in ARIS prior to version 10.0.23.0.3587512 where the file upload function does not enforce rate limiting/throttling. This allows an attacker to upload a large volume of files at an unrestricted rate, potentially causing resource exhaustion such as disk space depletion, ...

CVE-2026-21487 iccDEV has Out-of-bounds Read, Use of Out-of-range Pointer Offset and Improper Input Validation

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is fixed in version 2.3.1.2...

CVE-2026-21487

iccDEV’s CVE-2026-21487 is a localization/color-management library flaw where versions 2.3.1.1 and earlier suffer an Out-of-bounds Read, Use of Out-of-range Pointer Offset, and Improper Input Validation in CIccProfile::LoadTag. The issue is fixed in version 2.3.1.2. Public sources (NVD/Red Hat an...

CVE-2026-21485 iccDEV Undefined Behavior (UB) and Out of Memory in CIccProfile::LoadTag()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior UB and Out of Memory errors. This issue is fixed in version 2.3.1.2...

ASUS System Control Interface 安全漏洞

ASUS System Control Interface is a computer system control interface from Asus China. A security vulnerability exists in ASUS System Control Interface, which originates from an uncontrolled DLL load path that could lead to the execution of arbitrary code...

CVE-2025-11157

CVE-2025-11157 is a high-severity remote code execution flaw in feast-dev/feast v0.53.0, due to unsafe YAML deserialization in the Kubernetes materializer (feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py) where yaml.load(..., Loader=yaml.Loader) processes /var/feast/feature_store....

Deserialization of Untrusted Data

Overview ai-data-science-team is a Build and run an AI-powered data science team. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the loadpickle function in aidatascienceteam/tools/dataloader.py. An attacker can execute arbitrary code by supplying a...

CVE-2025-14434

The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upkalexgridloadmoreposts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and...

PT-2026-24938

A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin process of the file src/filters/load svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit h...

PT-2026-20452

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel’s ksmbd module contains a synchronization issue within the ksmbd chann list xarray. This lack of synchronization can lead to a use-after-free condition in multi-channel...

PT-2026-3759

Name of the Vulnerable Software and Affected Versions ImageMagick versions 14.10.1 and below ImageMagick version 7.x Description ImageMagick, a free and open-source software for editing and manipulating digital images, contains a NULL pointer dereference issue in the MSL Magick Scripting Language...

PT-2026-5520

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel’s idpf driver related to error handling within the init task during driver loading. If the init task fails, the system may lack necessary virtual ports...

PT-2026-21774

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1 Description The local Caddy admin API, listening by default on 127.0.0.1:2019, includes a POST /load endpoint that allows replacing the entire running configuration. When origin enforcement is not enabled enforce...