CVE-2026-53423 Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin

Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membranemp4plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.toatom/1 without validation...

CVE-2026-46739

A flaw was found in perl-Net-Statsd. This vulnerability allows an attacker to inject additional statsd metrics due to insufficient validation of metric names and values. Specifically, the software does not properly check for newlines, colons, or pipes in metric names, nor does it ensure that valu...

skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion

Impact skillctl 0.1.0 and 0.1.1 contained four path-safety vulnerabilities that, in combination, allowed an attacker to: 1. Exfiltrate arbitrary files on the operator's machine by publishing a malicious skills library containing a symlink inside a skill folder e.g. niania →...

CVE-2026-43967

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls...

CVE-2026-40518

ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write vulnerability in bootstrap-mode custom-agent creation where the agent name validation is bypassed. Attackers can supply traversal-style values or absolute paths as the agent name to influence directory...

Regular Expression Denial of Service (ReDoS)

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the read function when attacker-controlled input is used as the cookie name parameter, which is interpolated into a regular...

EUVD-2026-34197

PackagePersister.validatetgz builds "tar -tf tgz 2&1" where tgz = File.joinreleasedir, 'packages', "name.tgz" and name = packagemeta'name' comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x — i.e., /bin/sh -c. No...

CVE-2026-41011

PackagePersister.validatetgz builds "tar -tf tgz 2&1" where tgz = File.joinreleasedir, 'packages', "name.tgz" and name = packagemeta'name' comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x — i.e., /bin/sh -c. No...

CVE-2026-7421

The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the getshopurl method returning the shopname setting value without sanitization when it begins with "http", combined with insufficient validation in th...

Ubuntu 24.04 LTS / 25.10 : Foomuuri vulnerabilities (USN-8326-1)

The remote Ubuntu 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8326-1 advisory. Matthias Gerstner discovered that Foomuuri's D-Bus service did not properly enforce authorization. An unprivileged local attacker could possibly...

USN-8326-1 foomuuri vulnerabilities

Matthias Gerstner discovered that Foomuuri's D-Bus service did not properly enforce authorization. An unprivileged local attacker could possibly use this issue to manipulate the firewall configuration, contrary to expectations. CVE-2025-67603 Matthias Gerstner discovered that Foomuuri's D-Bus...

USN-8326-1: Foomuuri vulnerabilities

Matthias Gerstner discovered that Foomuuri's D-Bus service did not properly enforce authorization. An unprivileged local attacker could possibly use this issue to manipulate the firewall configuration, contrary to expectations. CVE-2025-67603 Matthias Gerstner discovered that Foomuuri's D-Bus...

CLSA-2026-1779535502 unbound: Fix of CVE-2026-33278

CVE-2026-33278: possible remote code execution during DNSSEC validation via a dangling rrsets pointer in dnsmsgdeepcopyregion exposed by the backported KeyTrap mitigation...

SUSE CVE-2026-42000

Insufficient Validation of Names During AXFR...

GHSA-45VW-WH46-2VX8 Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

Description The obj.expr dynamic-attribute syntax added in 3.15.0 as the replacement for the deprecated attribute function lets the attribute be an arbitrary expression. When the receiver is self or any % import % alias and the parenthesised expression is a string literal, DotExpressionParser...

CVE-2026-42000

Insufficient Validation of Names During AXFR...

CVE-2026-42000 Insufficient Validation of Names During AXFR

Insufficient Validation of Names During AXFR...

EUVD-2026-31261

Insufficient Validation of Names During AXFR...

PowerDNS Authoritative 命令注入漏洞

PowerDNS Authoritative is a DNS server software developed by PowerDNS Corporation. PowerDNS Authoritative has a command injection vulnerability, which stems from insufficient name validation during the AXFR process...

Astra Linux - уязвимость в linux-5.15, linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: Platform/x86: think-lmi: Fixed reference leak If a duplicate attribute is found using ksetfindobj, a reference to that attribute is returned, and that reference needs to be disposed of using kobjectput. The validation of the...