EUVD-2026-37005

i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string...

EUVD-2026-37006

i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names...

CVE-2026-48713

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input. Backend.writeFile splits each queued missing-key string on the configured...

CVE-2026-48714

The CVE-2026-48714 issue affects i18next-http-middleware prior to 3.9.7. The missingKeyHandler can accept request-body keys like proto , constructor, and prototype (and similar dotted variants) and, when downstream backends such as i18next-fs-backend ≤ 2.6.5 split on keySeparator, passes them to ...

CVE-2026-48713

CVE-2026-48713 affects i18next-fs-backend prior to 2.6.6. The issue arises when crafted missing-key strings are persisted via missingKeyHandler, where Backend.writeFile() splits keys on keySeparator and the path walker could reach Object.prototype (e.g., a key like "proto .polluted"), allowing pr...

PT-2026-49528

Name of the Vulnerable Software and Affected Versions i18next versions prior to 2.6.6 Description Prototype pollution occurs via crafted missing-key strings when used to persist missing translation keys. This happens when the Backend.writeFile function splits queued missing-key strings using the...

CVE-2026-45254

In the case of the capnet service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit...

rustfs 安全漏洞

RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS prior to 1.0.0-beta.2 contained security vulnerabilities. These vulnerabilities stemmed from the internal RPC layer reverting to the public default key when no shared key was configured, which could lead to...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the custom-payload-file field in REST API server mode. An attacker can read and exfiltrate arbitrary files accessible to the process by supplying a path to a file, which is then read line-by-lin...

EEF-CVE-2026-42789 Non-CA certificate accepted as intermediate issuer in public_key path validation

Summary Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP publickey pubkeycert module allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/publickey/src/pubkeycert.erl, pubkeycert:validateextensions/7...

CVE-2026-42784

openpgp: Dont imply missing key flags from key type...

UBUNTU-CVE-2026-42784

openpgp: Dont imply missing key flags from key type...

CVE-2026-45254

In the case of the capnet service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit...

CVE-2026-45254 Incorrect libcap_net limitation list manipulation

In the case of the capnet service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit...

CVE-2026-42783

openpgp: Dont imply missing key flags from key type...

FreeBSD Security Advisory - FreeBSD-SA-26:24.cap_net

FreeBSD Security Advisory - In the case of the capnet service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected...

OPENSUSE-SU-2026:20809-1 Security update for trivy

This update for trivy fixes the following issues - CVE-2025-64702: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS bsc1255366. - CVE-2025-69725: github.com/go-chi/chi/v5: incorrect input validation in the RedirectSlashes function can lead to an open redirect bsc1258513...

GHSA-5FGG-JCPF-8JJW i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters

Summary Versions of i18next-http-middleware prior to 3.9.3 pass user-controlled lng and ns parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF. The vulnerable entry points are unauthenticated HTTP...

Missing Cryptographic Key Commitment

software.amazon.encryption.s3, amazon-s3-encryption-client-java is vulnerable to missing cryptographic key commitment. The vulnerability is due to improper validation of encrypted data keys when stored in instruction files instead of metadata, which allows an attacker with write access to the S3...

CVE-2026-3230

A flaw was found in wolfSSL. A remote attacker could exploit a missing cryptographic step in the Transport Layer Security TLS 1.3 client HelloRetryRequest handshake logic. By sending a crafted HelloRetryRequest followed by a ServerHello message that omits the required keyshare extension, an...