PixelSmash flaw turns video files into attack tools

A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers. Researchers have disclosed PixelSmash, a critical vulnerability tracked as CVE-2026-8461, in FFmpeg’s MagicYUV video decoder with a CVSS score of 8.8. By crafting a...

MongoDB 7.0.x < 7.0.35 / 8.0.x < 8.0.24 / 8.2.x < 8.2.10 / 8.3.x < 8.3.3 / 9.0.0-rc0 Multiple Vulnerabilities

The version of MongoDB installed on the remote host is 7.0.x prior to 7.0.35, 8.0.x prior to 8.0.24, 8.2.x prior to 8.2.10, or 8.3.x prior to 8.3.3. It is, therefore, affected by multiple vulnerabilities: - A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable...

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the metadata process. An attacker can rename, move, or create links to files within the container by submitting specially crafted metadata values that bypass the intended blocklist. This may also...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation in the metadata field processing. An attacker can rename, move, or change permissions of files within the container by submitting specially crafted tag names such as System:FileName, System:Directory, or...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation in the metadata field processing. An attacker can rename, move, or change permissions of files within the container by submitting specially crafted tag names such as System:FileName, System:Directory, or...

Security update for ImageMagick

This update for ImageMagick fixes the following issues: CVE-2026-33899: Denial of Service via out-of-bounds write in XML parsing bsc1262154. CVE-2026-33900: Denial of Service via integer truncation in viff encoder bsc1262156. CVE-2026-33905: Denial of service via out-of-bounds read in -sample...

CVE-2026-34445

A flaw was found in Open Neural Network Exchange ONNX. An attacker could exploit a vulnerability in how ONNX processes model metadata, specifically within the ExternalDataInfo class. By crafting a malicious ONNX model, an attacker could overwrite internal object properties, leading to a denial of...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview onnx is an Open Neural Network Exchange Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the ExternalDataInfo function. An attacker can cause system unavailability, limited information disclosure, or dat...

CVE-2026-32836

drlibs drflac.h version 0.13.3 and earlier fixed in commits fefced4, 4f5a4cd, and 663239a contain an uncontrolled memory allocation vulnerability in drflacreadanddecodemetadata that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can...

EUVD-2021-19455

Malware in sbrugna...

SUSE-SU-2025:1569-1 Security update for libraw

This update for libraw fixes the following issues: - CVE-2025-43961: Fixed out-of-bounds read in the Fujifilm 0xf00c tag parser in metadata/tiff.cpp bsc1241643 - CVE-2025-43962: Fixed out-of-bounds read when tag 0x412 processing in phaseonecorrect function bsc1241585 - CVE-2025-43963: Fixed...

Linux Distros Unpatched Vulnerability : CVE-2021-37616

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A null pointer dereference was found ...

CVE-2025-0290

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive...

JVN#05508012: EXIF Viewer Classic vulnerable to cross-site scripting

EXIF Viewer Classic provided by Rodrigue former Kakera is a Google Chrome browser extension. The affected versions of the product improperly handle EXIF meta data, resulting in a cross-site scripting vulnerability CWE-79. Versions 2.3.2 and 2.4.0 were reported as vulnerable. The vendor informs us...

PT-2025-3813 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 15.0 through 17.5.5 GitLab CE/EE versions 17.6 through 17.6.3 GitLab CE/EE versions 17.7 through 17.7.1 Description: An issue has been discovered in GitLab CE/EE where under certain conditions, processing of CI artifacts...

The vulnerability of the Samba networking communication package arises from synchronization errors when using a shared resource. This allows attackers to gain access to confidential data and compromise its integrity.

The vulnerability of the Samba networking communication package is related to synchronization errors when using a shared resource due to incorrect metadata processing. Exploiting this vulnerability can allow an attacker to gain access to confidential data and compromise its integrity...

The vulnerability of the NTFS-3G driver set-up, which is implemented in the NTFS file system, allows a perpetrator to execute arbitrary code.

The vulnerability of the NTFS-3G driver set-up of the NTFS file system is related to errors in metadata processing. Exploiting this vulnerability can allow an attacker to execute arbitrary code...

The vulnerability of the library for processing metadata in multimedia Exif files, related to incorrect elimination of special elements in the output data, allows attackers to gain access to confidential data, compromise its integrity, and cause service failures.

The vulnerability of the ExifTool library for processing metadata in multimedia files is related to incorrect elimination of special elements in the output data. Exploiting this vulnerability can allow an attacker to gain access to confidential data, compromise its integrity, and even cause servi...

Apple macOS 输入验证错误漏洞

Apple macOS is a proprietary operating system from Apple Inc. that was developed specifically for Mac computers. An input validation error vulnerability exists in macOS, which arises from insufficient validation of user-supplied input within the installer component when processing metadata. The...

UBUNTU-CVE-2016-6292

The exifprocessusercomment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a crafted JPEG image...