CVE-2026-50751 - User Authentication bypass on VPN Remote Access and Mobile Access in deprecated IKEv1 key exchange

Symptoms - An attacker can bypass user authentication by exploiting a logic flow weakness in the Remote Access and Mobile Access certificate validation and establish a remote access VPN connection without a valid user password. Check Point is aware of this vulnerability being exploited in the wil...

📄 LuaJIT 2.1.1774638290 Arbitrary Code Execution

LuaJIT's Foreign Function Interface FFI provides unrestricted access to native C functions including syscall, mmap, mprotect and arbitrary shared library loading. When FFI is accessible to untrusted Lua code in embedding scenarios OpenResty, Redis, game engines, IoT, an attacker can achieve...

CVE-2026-33186

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory...

UBUNTU-CVE-2026-1965

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...

SUSE CVE-2026-1965

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of...

CVE-2026-3381

A flaw was found in Compress::Raw::Zlib. This component bundles an outdated version of the zlib compression library, which contains known security vulnerabilities. An attacker could potentially exploit these underlying zlib vulnerabilities through Compress::Raw::Zlib, leading to unspecified...

CVE-2026-23901

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1., 2. before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are different enough, tha...

PT-2025-41454

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.9.0.5 Description New API is a large language model LLM gateway and artificial intelligence AI asset management system. An authenticated Server-Side Request Forgery SSRF issue exists because the application does not...

EUVD-2022-33586

Malicious code in bioql PyPI...

EUVD-2024-53109

Malicious code in bioql PyPI...

EUVD-2024-41461

Malicious code in bioql PyPI...

CVE-2025-58457 Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands

Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. The issue can be...

[SECURITY] [DLA 4280-1] unbound security update

Debian LTS Advisory DLA-4280-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin August 24, 2025 https://wiki.debian.org/LTS Package : unbound Version : 1.13.1-1+deb11u5 CVE ID : CVE-2024-33655 CVE-2025-5994 Debian Bug : 1109427 Vulnerabilities were found in unbound,...

CVE-2025-54368

A flaw was found in uv. The package's handling of remote ZIP archives processes entries sequentially without verifying them against the archive's central directory. This vulnerability allows a remote attacker to craft a malicious ZIP archive that can cause unexpected behavior when processed...

CVE-2025-47219

A flaw was found in gstreamer1-plugins-good. The isomp4 plugin's qtdemuxparsetrak function incorrectly handles MP4 file parsing, resulting in a heap buffer over-read. This flaw allows a local attacker to provide a specially crafted MP4 file. This over-read can lead to information disclosure...

CVE-2025-45765

A flaw was found in ruby-jwt. The library does not enforce minimum key sizes for encryption, allowing the use of weak keys that may be vulnerable to decryption. A malicious actor can leverage this lack of enforcement to compromise the confidentiality of data protected by the library. This can...

CVE-2025-54886

A flaw was found in skops. The Card.getmodel function allows arbitrary code execution due to a lack of input validation, allowing a local attacker to trigger this vulnerability. This issue occurs when processing a malicious job file, leading to potential arbitrary code execution on the affected...

CVE-2025-44779

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use an...

CVE-2025-47908

A flaw was found in github.com/rs/cors. The middleware exhibits excessive heap memory allocation when handling preflight requests containing a lengthy, comma-separated value in the Access-Control-Request-Headers ACRH header. This vulnerability allows an attacker to send a specially crafted HTTP...

CVE-2024-8244

The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links, but both functions are susceptible to a TOCTOU time of check/time of use race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress...