kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

dssrf: every IPv6 category bypasses is_url_safe

A vulnerability on dssrf allow, an attacker to use, one of them following ipv6 rust Input Category http://::1/ IPv6 loopback http://fc00::1/ IPv6 ULA http://fe80::1/ IPv6 link-local http://::ffff:127.0.0.1/ IPv4-mapped loopback http://::ffff:169.254.169.254/ IPv4-mapped IMDS...

kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

Security Bulletin: IBM Edge Data Collector uses axios-1.13.6.tgz which is vulnerable to CVE-2025-62718.

Summary IBM Edge Data Collector uses axios-1.13.6.tgz which is vulnerable to CVE-2025-62718. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 a...

PT-2026-38277

Name of the Vulnerable Software and Affected Versions rmcp versions prior to 1.4.0 dynoxide versions prior to 0.9.13 Description The Streamable HTTP server transport in the rmcp crate fails to validate the incoming Host header. This allows a malicious public website to use a DNS rebinding attack—...

PT-2026-37477

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A NULL pointer dereference can occur in the ASoC SOF Intel hda component. This happens when there is a mismatch between the DAI links in the machine driver and the topology, which may...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that stems from the derivation of a loopback MCP owner context from a server-issued bearer token that can be spoofed in the request header, which can be exploited by an attacke...

RHEL 9 : kernel-rt (RHSA-2026:14137)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14137 advisory. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism...

CVE-2026-40280

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression ^https?:// to match URL schemes. Because Go's net/url.Parse normalizes...

GHSA-4GP8-RJRQ-CH6Q link-preview-js vulnerable to IPv6 and internal loopback attacks

Impact The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. Patches Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. T...

link-preview-js vulnerable to IPv6 and internal loopback attacks

Impact The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. Patches Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. T...

kernel: ALSA: aloop: Fix racy access at PCM trigger

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are...

CVE-2026-42043

A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses within the 127.0.0.0/8 range, excluding 127.0.0.1, the attacker can completely bypass the...

GHSA-M7PR-HJQH-92CM Axios: no_proxy bypass via IP alias allows SSRF

The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching — it does not resolve IP aliases or loopback...

EUVD-2026-25604

Axios: noproxy bypass via IP alias allows SSRF...

Axios: no_proxy bypass via IP alias allows SSRF

The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching — it does not resolve IP aliases or loopback...

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

GHSA-PMWG-CVHR-8VH7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...