Astra Linux - уязвимость в golang-1.15

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method...

Astra Linux - уязвимость в firefox, thunderbird

Cross-Site Tracing occurs when a server echoes a request back using the Trace method, allowing an XSS attack to access authorization headers and cookies that are inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitigate this attack, browsers imposed restrictions on fetch and...

Astra Linux - уязвимость в haproxy

A issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. A HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, as in t...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: shmem: Use ramfskillsb for the killsb method of ramfs-based tmpfs. Since ramfs-based tmpfs uses ramfsinitfscontext for the initfscontext method, which allocates fc-sfsinfo, using ramfskillsb allows for its freeing and avoids a...

Astra Linux - уязвимость в linux-5.15, linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Platform/x86: mxm-wmi: fixed a memory leak in the mxmwmicallmxds|mx function. The ACPI buffer memory out.pointer returned by wmievaluatemethod is not freed after the call, resulting in a memory leak. This issue occurs because the...

Astra Linux - уязвимость в libjackson-json-java

A deserialization flaw was discovered in the Jackson-Databind library, in versions prior to 2.6.7.1, 2.7.9.1, and 2.8.9. This flaw could allow an unauthenticated user to execute arbitrary code by sending maliciously crafted input to the readValue method of the ObjectMapper...

Astra Linux - уязвимость в libxml-security-java

All versions of Apache Santuario – XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to a issue where the “secureValidation” property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to exploit an XPath Transform to extract any...

Astra Linux - уязвимость в python-urllib3

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest. NOTE: this is similar to CVE-2020-26116...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: ksmbd: Fixed a race condition in the RPC handle list access. The sess-rpchandlelist XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by sess-rpclock a rwsemaphore. However, the...

Astra Linux - уязвимость в node-es5-ext

es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into functioncopy or functiontoStringTokens may cause the script to stall. The vulnerability is patched in v0.10.63...

Astra Linux - уязвимость в golang-github-prometheus-client-golang

clientgolang is the instrumentation library for Go applications in Prometheus, and the promhttp package in clientgolang provides tooling around HTTP servers and clients. In clientgolang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Bonding: A potential infinite loop has been prevented in the bondheaderparse function. The bondheaderparse function may enter an infinite loop if a stack of two bonding devices is set up. This occurs because skb-dev always points...

CVE-2026-7677 kerwincui FastBee System Notice SysNoticeController.java add cross site scripting

A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument...

yudao-cloud 授权问题漏洞

Yudao-Cloud is a backend management system developed by YunaiV’s individual developer. Versions of Yudao-Cloud prior to 2026.01 contained an authorization issue vulnerability. This vulnerability originated from the function getAccessToken in the file...

Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel

cd ./co...

Exploit for Code Injection in Flowiseai Flowise

CVE-2025-59528 PoC ⚠️ For educational and authorized securit...

ps_checkout allows unauthorized method invocation through unvalidated parameter

Impact Unvalidated parameter can lead to some unauthorized method invocation with very little possibilities. Patches The problem has been patched in versions - v5.3.0 for PrestaShop 1.7 build number: 7.5.3.0 - v5.3.0 for PrestaShop 8 build number: 8.5.3.0 - v5.3.0 for PrestaShop 9 build number:...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation via unvalidated parameters in the process. An attacker can invoke unauthorized methods by supplying crafted input. Remediation Upgrade prestashop/pscheckout to version 5.3.0 or higher. References - GitHub...

EUVD-2026-26406

Multiple authenticated cross-site scripting XSS vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream or getReader functions...

Admidio Missing Minimum Administrator Check in Role Membership Removal

Summary Role::stopMembership does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other...