EUVD-2026-32926

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6...

GHSA-8XVP-7HJ6-MCJ9 GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands

Summary GitHub CLI incorrectly includes an authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. Affected users: - Authenticated github.com users who previously ran gh attestation commands, gh release verify, or...

Important: python

Issue Overview: The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other...

OESA-2026-1902 python3 security update

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C...

PraisonAI Has Path Traversal in FileTools

Executive Summary: The path validation has a critical logic bug: it checks for .. AFTER normpath has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the...

GHSA-693F-PF34-72C5 PraisonAI Has Path Traversal in FileTools

Executive Summary: The path validation has a critical logic bug: it checks for .. AFTER normpath has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the...

CVE-2025-13462

CVE-2025-13462 concerns the Python tarfile module: it would normalize AREGTYPE (\x00) blocks to DIRTYPE even when processing GNU LONGNAME/LONGLINK multiblock members, which could cause a crafted tar archive to be interpreted differently from other implementations. Affected stack/impact are descri...

CVE-2025-13462

The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations...

EUVD-2026-4656

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal...

EUVD-2008-3159

Malware in sbrugna...

CVE-2025-55000

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected...

undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass

A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass...

OESA-2024-2043 python-webob security update

WebOb provides wrappers around the WSGI request environment, and an object to help create WSGI responses. The objects map much of the specified behavior of HTTP, including header parsing and accessors for other standard parts of the environment. Security Fixes: WebOb provides objects for HTTP...

PYSEC-2024-188

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. urlparse however treats a // at the...

Heap overflow

Multiple heap-based buffer overflows in Empire Server before 4.3.15 allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to a "coordinate normalization bug." NOTE: some of these details are obtained from third party information...

CVE-2008-3169

Multiple heap-based buffer overflows in Empire Server before 4.3.15 allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to a "coordinate normalization bug." NOTE: some of these details are obtained from third party information...