RLSA-2025:3367 Important: grub2 security update

The grub2 packages provide version 2 of the Grand Unified Boot Loader GRUB, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. Security Fixes: grub2: net:...

Malicious code in auth0-templates-scripts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6 Package name 'auth0-templates-scripts' impersonates the Auth0 Okta brand without affiliation. The author field is the placeholder 'OpenSource...

PT-2026-42494

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters ticketshost, ticketsdb, ticketsuser, ticketspassword,...

PT-2026-45157

Name of the Vulnerable Software and Affected Versions Twig affected versions not specified Description The TwigProfilerDumperHtmlDumper component fails to escape the output of Profile::getTemplate and Profile::getName when writing to HTML. If an attacker can control the template name—which may...

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of proper cleaning of multiple POST parameters in the dbloader.php file,...

PT-2026-42583

Description When the sandbox is enabled selectively via SourcePolicyInterface and not globally, a sandboxed template that is allowed to call template from string and include can render an arbitrary inner template with no security policy enforcement. Environment::createTemplate compiles the inner...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from multiple POST parameters in the dbloader.php file—ticketsdb, ticketshost, ticketsuser, a...

PT-2026-42519

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...

PT-2026-42514

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db loader.php where the multiple POST parameters ticketsdb, ticketshost, ticketsuser, ticketspassword are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database witho...

TencentOS Server 4: gdk-pixbuf2 (TSSA-2026:0321)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0321 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

GO-2026-4965 Nuclei: Local File Read via require() Module Loader Bypass in github.com/projectdiscovery/nuclei

Nuclei: Local File Read via require Module Loader Bypass in github.com/projectdiscovery/nuclei...

Malicious code in libhmac (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fccbd481dd2bd04274c5045995a08ddbcf302780c24f39eb63821d5d63a998d1 The PyPI name 'libhmac' matches the well-known libyal/libhmac C forensics library HMAC primitive, but the package contents have nothing to do with HM...

Malicious code in nw-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e3ff057a42800ad78024ac1c48e0d6fbf9c828eb828a41e6737c32b6174ce8c Package is published publicly on npm at version 100.20.33 — a version-number shape used in dependency-confusion attacks to outrank private internal...

MAL-2026-4624 Malicious code in nw-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e3ff057a42800ad78024ac1c48e0d6fbf9c828eb828a41e6737c32b6174ce8c Package is published publicly on npm at version 100.20.33 — a version-number shape used in dependency-confusion attacks to outrank private internal...

Malicious code in @weirdorg/config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b28e2fe6ac03c8e426aeb69f62bf0b2bd4dfdb06a5acee273bb5967186c5504d @weirdorg/config impersonates the widely-used config node-config package, copying its README verbatim including the require'config' usage example. Th...

Astra Linux - уязвимость в blender

A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption, or potentially code execution...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: firmwareloader: A use-after-free occurred during the unregister operation. In the following code within firmwareUploadunregister, the call to deviceunregister could cause the devrelease function to free the fwUploadPriv structure...

Astra Linux - уязвимость в u-boot

The U-Boot 2022.01 has a Buffer Overflow, a different issue compared to CVE-2022-30552...

Astra Linux - уязвимость в linux

In the Linux kernel, the following vulnerability has been resolved: Wifi: ath9k – Verify that the expected usbendpoints are present. This bug occurs when a USB device claims to be an ATH9K device, but it does not have the expected endpoints. In this case, there was an interrupt endpoint, and the...

Astra Linux - уязвимость в linux-5.10, linux

A issue was discovered in the Linux kernel through version 5.19.8. In the file drivers/firmware/efi/capsule-loader.c, there is a race condition that leads to a use-after-free situation...