K000160994: SQLite vulnerability CVE-2025-70873

Security Advisory Description An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file. CVE-2025-70873 Impact There is no impact; F5 products are not affected by th...

CVE-2026-42363

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...

Machine-Checked Cardinality Bounds for Masked Barrett Reduction: A 1-Bit Side-Channel Leakage Barrier in Post-Quantum Cryptographic Hardware

Barrett reduction is the nonlinear core of every practical NTT-based post-quantum cryptography implementation. Existing composition frameworks ISW, t-SNI, PINI, DOM address Boolean masking over GF2; none provides a machine-checked characterization of Barrett's leakage under first-order arithmetic...

MAS-SZZ: Multi-Agentic SZZ Algorithm for Vulnerability-Inducing Commit Identification

Accurate vulnerability-inducing commit identification serves as a foundation for a series of software security tasks, such as vulnerability detection and affected version analysis. A straightforward solution is the SZZ algorithm, which traces back through the code history to identify the earliest...

📄 SolarEdge 3.0-2021 Cross Site Request Forgery / OOB Injection

SolarEdge version 3.0-2021 suffers from a cross site request forgery vulnerability in the /solaredge-web/p/initClient that can lead to a remote command injection vulnerability. Titles: solaredge-CSRF-OOB-Injection 3.0-2021 web portal Author: nu11secur1tyAI Date: 2026-04-26 Vendor: SolarEdge...

📄 OWASP CRS 3.3.9 / 4.25.x LTS / 4.8.x File Upload Bypass

This proof of concept demonstrating a weakness in some web applications protected by OWASP Core Rule Set CRS or similar filters, where file upload validation can be bypassed using ambiguous filename formatting...

📄 Vienna Assistant 1.2.542 macOS Privilege Escalation

A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection...

Linux Distros Unpatched Vulnerability : CVE-2026-41324

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory...

Fedora 44 : curl (2026-f13d888b0f)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f13d888b0f advisory. - Fix bad reuse of HTTP Negotiate connection CVE-2026-1965 - Fix token leak with redirect and netrc CVE-2026-3783 - Fix wrong proxy connection reuse...

Linux Distros Unpatched Vulnerability : CVE-2026-31592

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - KVM: SEV: Protect all of sevmemencregisterregion with kvm-lock Take and hold kvm-lock for before checking sevguest in sevmemencregisterregion, as sevguest isn't...

EUVD-2026-25743

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...

CVE-2026-42363 GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...

CVE-2026-42363

CVE-2026-42363 affects GeoVision GV-IP Device Utility 9.0.5. The Device Authentication flow encrypts credentials using a protocol resembling Blowfish, but the symmetric key is included in the packet, making confidentiality rely on obscurity. When admin users interact with devices, credentials may...

CVE-2026-42363 GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...

CVE-2026-42363

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...

BinExploit-Bench

BinExploit-Bench: Binary Exploitation Capability Benchmark for...

GHSA-74M3-9QVM-RP9H zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

Summary The zrok WebDAV drive backend davServer.Dir restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without...

zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

Summary The zrok WebDAV drive backend davServer.Dir restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without...

Exploit for CVE-2026-21847

CVE-2026-21847: Hardcoded AES Encryption Key in DPDC Customer...

CVE-2026-33318

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...