RockyLinux 10 : postgresql16 (RLSA-2026:19010)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19010 advisory. postgresql: PostgreSQL oidvector discloses a few bytes of memory CVE-2026-2003 postgresql: PostgreSQL missing validation of multibyte character length...

php: global buffer over-read in mb_convert_encoding() with attacker-supplied encoding

A flaw was found in PHP. When an encoding name containing an embedded NUL byte is passed to mbconvertencoding or related mbstring functions, an out-of-bounds read of only 1 byte can occur due to the incorrect processing of string lengths. This issue can cause a denial of service or limited...

RLSA-2026:19010 Important: postgresql16 security update

PostgreSQL is an advanced Object-Relational database management system DBMS. The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine a...

postgresql16 security update

An update is available for postgresql16. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list PostgreSQL is an advanced Object-Relational database management system...

RLSA-2026:19009 Important: postgresql18 security update

PostgreSQL is an advanced Object-Relational database management system DBMS. The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine a...

CVE-2026-47676

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...

EUVD-2026-32924

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the...

Hono 安全漏洞

Hono is a web framework built with TypeScript in the Hono community. Versions of Hono prior to 4.12.21 contained security vulnerabilities. These vulnerabilities stemmed from the use of app.mount to remove the mount prefix using raw URL path names. Route matching was performed on percent-encoded...

CLSA-2026-1779212665 php: Fix of 14 CVEs

CVE-2018-5711: fix infinite loop in gdImageCreateFromGifCtx - CVE-2018-5712: remove file name from phar stub error output XSS - CVE-2018-10545: do not set PRSETDUMPABLE in php-fpm workers by default - CVE-2018-10546: fail iconvmimedecode on invalid multibyte sequences - CVE-2018-10547: escape...

postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database...

postgresql: PostgreSQL missing validation of multibyte character length executes arbitrary code

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database...

Important: Red Hat Security Advisory: postgresql18 security update

An update for postgresql18 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

ALSA-2026:19010 Important: postgresql16 security update

PostgreSQL is an advanced Object-Relational database management system DBMS. The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine a...

ALSA-2026:19009 Important: postgresql18 security update

PostgreSQL is an advanced Object-Relational database management system DBMS. The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine a...

BIT-LIBPHP-2026-7259 Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when...

PT-2026-40293

In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb convert encoding or related mbstring functions, the code incorrectly assumes that when strncasecmp returns 0 it means the strings have the same length. This can lead to...

Exploit for CVE-2025-1094

--- POC Khai thác lỗ hổng CVE-2025-1094: PostgreSQL psql SQL...

CVE-2026-7259

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when...

UBUNTU-CVE-2026-7259

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when...

CLSA-2026-1777540266 vim: Fix of 10 CVEs

CVE-2022-2182: in doonecmd, after ";" sets curwin-wcursor.lnum to ea.line2, call checkcursor instead of checkcursorlnum so the column is validated too, and fall back to checkcursorcol when ea.line2 is zero, preventing read past end-of-line on ":0;'". - CVE-2022-2206: in checkshellsize, clamp...