CVE-2026-45676 OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section...

CVE-2026-45676

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section...

Node.JS System Information Library <5.3.1 - Remote Command Injection

Node.JS System Information Library System before version 5.3.1 is susceptible to remote command injection. Node.JS npm package "systeminformation" is an open source collection of functions to retrieve detailed hardware, system and OS information. id: CVE-2021-21315 info: name: Node.JS System...

Processwire CMS <2.7.1 - Local File Inclusion

Processwire CMS prior to 2.7.1 is vulnerable to local file inclusion because it allows a remote attacker to retrieve sensitive files via the download parameter to index.php. id: CVE-2020-27467 info: name: Processwire CMS 2.7.1 - Local File Inclusion author: 0xAkoko severity: high description:...

MAL-2026-5153 Malicious code in @att-ebiz/abs-components-bc (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d9d4d8606057fc579fbbc6ede648c88bb580827838850f589e8887c1dd374a39 The OpenSSF Package Analysis project identified '@att-ebiz/abs-components-bc' @ 99.9.1 npm as malicious. It is considered malicious because: - T...

CVE-2026-25681 vulnerabilities

Vulnerabilities for packages: terraform-provider-acme, grafana-pyroscope, k3s, traefik, crossplane-provider-azure-storage, vale, gitea, fq, hydra, prometheus-operator, istio, step, glab, kots, crossplane-provider-azure-authorization, minio, kubernetes-dashboard, telegraf, kyverno, kubernetes, kin...

PT-2026-45859

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.6 authentik versions prior to 2026.2.4 authentik versions prior to 2026.5.1 Description authentik is an open-source identity provider. The Source stage can be bypassed by sending an empty POST request...

RockyLinux 10 : openssh (RLSA-2026:19069)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19069 advisory. OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode CVE-2026-35385 OpenSSH: OpenSSH: Security bypass via...

Ubuntu 25.10 / 26.04 LTS : LibreOffice vulnerability (USN-8352-1)

The remote Ubuntu 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8352-1 advisory. Duc Anh Nguyen discovered that LibreOffice incorrectly handled mismatched encryption salt parameters in crafted OOXML documents. An attacker could use thi...

PT-2026-45690

A flaw has been found in DedeCMS 5.7.88. Affected by this vulnerability is the function base64 decode of the file /plus/download.php?open=1. This manipulation of the argument Link causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and...

angr 9.2.220

angr is an open-source binary analysis platform for Python. It combines both static and dynamic symbolic "concolic" analysis, providing tools to solve a variety of tasks...

PT-2026-45855

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions prior to 2026.2.3 Description An issue exists in the Simple Flow Executor SFE, which is a component used to manage the sequence of steps in an authentication flow. Due to the...

PT-2026-45832

Name of the Vulnerable Software and Affected Versions React Router versions 6.7.0 through 6.30.3 React Router versions 7.0.0 through 7.14.0 Description Certain URLs passed to the redirect function can trigger an open redirect to an external domain. This occurs because path values starting with //...

PT-2026-45879

Name of the Vulnerable Software and Affected Versions alf.io versions prior to 2.0-M5-2606 Description An authenticated administrator can execute arbitrary operating system commands on the server due to a sandbox escape in the extension script engine. The system is designed to run restricted...

PT-2026-45866

Name of the Vulnerable Software and Affected Versions ahujasid blender-mcp versions prior to 5b37be25242e73dc4cf1328974d30458b9e5d67e Description An injection issue exists in the Open function within the src/blender mcp/server.py file. This occurs when the input image url argument is manipulated,...

PT-2026-45867

Name of the Vulnerable Software and Affected Versions OpenCTI versions prior to 7.260227.0 Description An issue exists in the rendering of email-message observable body data where the content of the body field is not appropriately sanitized. This allows for Cross-Site Scripting XSS, a technique...

PT-2026-45858

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.6 authentik versions prior to 2026.2.4 authentik versions prior to 2026.5.1 Description An attacker who has the ability to modify a source connection and possesses an account in one of the configured sources...

CentOS 9 : kernel-5.14.0-710.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the kernel-5.14.0-710.el9 build changelog. - In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proclseek as ones for procreaditer et....

EUVD-2026-33829

eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited only the title...

Malicious Package

Overview vpmdhaj-opensearch-setup is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those...