133492 matches found
K000162310: Linux kernel vulnerability CVE-2026-46316
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgicitsinvalidatecache walks the per-ITS translation cache with xaforeach and drops the cache's reference on each...
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a security bypass vulnerability (CVE-2026-10842)
Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a security bypass vulnerability with the appSecurity-1.0, appSecurity-2.0 , appSecurity-3.0 or appSecurity-4.0 feature enabled. Vulnerability Details CVEID:CVE-2026-10842 DESCRIPTION: IBM WebSphere...
GHSA-VJ7Q-GJH5-988W MCP Python SDK: WebSocket server transport does not support Host/Origin validation
Summary In affected versions, the deprecated WebSocket server transport mcp.server.websocket.websocketserver accepted the WebSocket handshake without applying any Host or Origin header validation. The TransportSecuritySettings mechanism that the SSE and Streamable HTTP transports use for this...
MCP Python SDK: WebSocket server transport does not support Host/Origin validation
Summary In affected versions, the deprecated WebSocket server transport mcp.server.websocket.websocketserver accepted the WebSocket handshake without applying any Host or Origin header validation. The TransportSecuritySettings mechanism that the SSE and Streamable HTTP transports use for this...
GHSA-48QW-824M-86PR ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read
Impact A user holding only reader read-only privileges on a single database could execute arbitrary JVM code by sending a "language": "js" command to the POST /api/v1/command/database HTTP endpoint, and use it to read arbitrary files on the host filesystem e.g. /etc/passwd, configuration files,...
ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read
Impact A user holding only reader read-only privileges on a single database could execute arbitrary JVM code by sending a "language": "js" command to the POST /api/v1/command/database HTTP endpoint, and use it to read arbitrary files on the host filesystem e.g. /etc/passwd, configuration files,...
GHSA-5RG2-XV9J-GV5P nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof
Impact A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add primitives/src/keynibbles.rs:332 / :34...
nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof
Impact A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add primitives/src/keynibbles.rs:332 / :34...
GHSA-46WQ-28CX-MHW4 nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys
Impact A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted TrieChunk whose proof contains two TrieProofNodes with identical keys. TrieProof::verify calls TrieProofNode::childindex primitives/src/trie/trieproofnode.rs:94, which unconditionally unwraps...
nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys
Impact A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted TrieChunk whose proof contains two TrieProofNodes with identical keys. TrieProof::verify calls TrieProofNode::childindex primitives/src/trie/trieproofnode.rs:94, which unconditionally unwraps...
GHSA-WPCJ-RMV4-86QG Nuclio: Unauthenticated path traversal in spec.handler allows arbitrary file write in Dashboard container
Summary Nuclio Dashboard exposes POST /api/functions without authentication by default NOP auth mode. The spec.handler field e.g., mymodule:myfunction is parsed by functionconfig.ParseHandler which splits on : only — no path validation is applied to the module portion. During function build,...
Nuclio: Unauthenticated path traversal in spec.handler allows arbitrary file write in Dashboard container
Summary Nuclio Dashboard exposes POST /api/functions without authentication by default NOP auth mode. The spec.handler field e.g., mymodule:myfunction is parsed by functionconfig.ParseHandler which splits on : only — no path validation is applied to the module portion. During function build,...
GHSA-3V79-M2CG-89WW Nuclio: Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE
Summary Nuclio's Java runtime generates a build.gradle file during function builds using Go's text/template package. The template renders runtimeAttributes.repositories values with the . action, which performs no escaping. An attacker can embed a closing brace to break out of the repositories blo...
Nuclio: Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE
Summary Nuclio's Java runtime generates a build.gradle file during function builds using Go's text/template package. The template renders runtimeAttributes.repositories values with the . action, which performs no escaping. An attacker can embed a closing brace to break out of the repositories blo...
GHSA-H7PQ-86H8-RP5X Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Tenant can create EnvoyExtensionPolicy baseline - Controller has egress to attacker-controlled OCI registry - No registry allowlist none exists in code - Layer presents Docker/OCI...
Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Tenant can create EnvoyExtensionPolicy baseline - Controller has egress to attacker-controlled OCI registry - No registry allowlist none exists in code - Layer presents Docker/OCI...
GHSA-CXPQ-8V7Q-CG56 Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Tenant can create EnvoyExtensionPolicy baseline - Attacker hosts a gzip-bomb at a reachable URL - sha256 unset optional field; check is post-decompression anyway - No operator...
Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Tenant can create EnvoyExtensionPolicy baseline - Attacker hosts a gzip-bomb at a reachable URL - sha256 unset optional field; check is post-decompression anyway - No operator...
Security update for tomcat
This update for tomcat fixes the following issues Update to Tomcat 9.0.119. Security issues fixed: CVE-2026-50229: improper neutralization of script-related HTML tags in the number guess example bsc1269791. CVE-2026-53404: always-incorrect control flow implementation in the rewrite valve caused...
Security update for tomcat11
This update for tomcat11 fixes the following issues Update to Tomcat 11.0.23. Security issues fixed: CVE-2026-50229: improper neutralization of script-related HTML tags in the number guess example bsc1269791. CVE-2026-53404: always-incorrect control flow implementation in the rewrite valve caused...