SUSE CVE-2026-43125

In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlmsearchrsbtree The len parameter in dlmdumprsbname is not validated and comes from network messages. When it exceeds DLMRESNAMEMAXLEN, it can cause out-of-bounds write in dlmsearchrsbtree. Add length...

PT-2026-37465

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the Distributed Lock Manager DLM where the len parameter in the dlm dump rsb name function is not validated. Because this parameter is derived from network messages,...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-012999)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-012999 advisory. In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfsencodefh The function btrfsencodefh does not properl...

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011139)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011139 advisory. In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfsencodefh The function btrfsencodefh does not properl...

Elysia has a string URL format ReDoS

Impact t.String format: 'url' is vulnerable to redos Repeating a partial url format protocol and hostname multiple times cause regex to slow down significantly js 'http://a'.repeatn Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsedms | | --...

CVE-2026-29795 stellar-xdr: `StringM::from_str` bypasses max length validation

stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Prior to version 25.0.1, StringM::fromstr does not validate that the input length is within the declared maximum MAX. Calling StringM::::fromstrs where s is longer than N bytes succeeds and returns a...

CVE-2026-29795

CVE-2026-29795 affects the stellar-xdr crate (StringM::from_str bypasses the max length validation). Affected: versions prior to 25.0.1. Root cause: input strings longer than MAX are accepted, producing StringM with violated length invariant. Impact: potential propagation through serialization/va...

GHSA-X57H-XX53-V53W stellar-xdr's StringM::from_str bypasses max length validation

Impact StringM::fromstr does not validate that the input length is within the declared maximum MAX. Calling StringM::::fromstrs where s is longer than N bytes succeeds and returns an Ok value instead of ErrError::LengthExceedsMax, producing a StringM that violates its length invariant. This affec...

openSUSE Security Advisory (SUSE-SU-2026:0423-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2026:20425-1 Security update for python-aiohttp, python-Brotli

This update for python-aiohttp, python-Brotli fixes the following issues: Changes in python-aiohttp: - CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. - CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. - CVE-2025-69224: Fixed...

SUSE SLES15 / openSUSE 15 Security Update : python-brotlipy (SUSE-SU-2026:0423-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:0423-1 advisory. - Add max length decompression bsc1254867, bsc1256017 Tenable has extracted the preceding description block directly from the...

Security update for python-brotlipy

This update for python-brotlipy fixes the following issues: Add max length decompression bsc1254867, bsc1256017 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run the command listed for...

CVE-2025-71031

Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. The HTTP component doesn't have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory...

CVE-2026-1083 Appointment Hour Booking – Booking Calendar <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration

The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max...

CVE-2026-1083

CVE-2026-1083: The Appointment Hour Booking – Booking Calendar WordPress plugin is vulnerable to Stored Cross-Site Scripting in all versions up to 1.5.60 due to insufficient input sanitization and output escaping on the Min length/characters and Max length/characters field configuration values. E...

CVE-2026-1083 Appointment Hour Booking – Booking Calendar <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration

The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max...

WordPress Appointment Hour Booking plugin <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration vulnerability discovered by ALockWooD in WordPress Plugin Appointment Hour Booking versions = 1.5.60...

PT-2026-5060

The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max...

CVE-2025-68438

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed core maxtemplatedfieldlength, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include...

CVE-2025-68438

Apache Airflow prior to 3.1.6 is affected. When rendering template fields in a Dag that exceed max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI because the secrets masker did not include user-registered mask_secret() patterns, leading to inco...