PT-2026-41012

Name of the Vulnerable Software and Affected Versions GStreamer gst-plugins-good versions prior to 1.28.2 Description An issue exists when parsing MP4 audio tracks where the isomp4 plugin's qtdemux parse trak function fails to sufficiently validate atom data before performing division operations...

DEBIAN-CVE-2026-43970

Improper Handling of Highly Compressed Data Data Amplification vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cowspdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

MGASA-2026-0129 Updated apache packages fix security vulnerabilities

http2: double free and possible RCE on early reset. CVE-2026-23918 modrewrite elevation of privileges via apexpr. CVE-2026-24072 buffer overflow in modproxyajp via ajpmsgcheckheader. CVE-2026-28780 modmd unrestricted OCSP response. CVE-2026-29168 moddavlock indirect lock crash. CVE-2026-29169...

jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers

A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the jvparsesized function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the erro...

jq security update

1.7.1-13 - Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions 1.7.1-12 - Fix CVE-2026-39979 out-of-bounds read in jvparsesized...

Oracle Linux 8 : jq (ELSA-2026-16252)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-16252 advisory. - Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions - Fix CVE-2026-39979 out-of-bounds read in jvparsesized Tenab...

CVE-2026-44296

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service DoS vulnerability affects Deskflow servers running with TLS enabled the default. When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS...

CVE-2026-43930

CVE-2026-43930 affects Parse Server. A race condition in the MFA SMS OTP login path before 8.6.76 and 9.9.0-alpha.2 can allow two concurrent /login requests carrying the same OTP to succeed, producing two valid session tokens. Impact is breaking single-use OTP; attacker must already know the vict...

CVE-2026-43930 Parse Server: MFA SMS one-time password accepted twice under concurrent login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive...

CVE-2026-43930 Parse Server: MFA SMS one-time password accepted twice under concurrent login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive...

OSV-2026-718 Heap-buffer-overflow in md_parse

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=511825301 Crash type: Heap-buffer-overflow READ 1 Crash state: mdparse mdhtml fuzz-mdhtml.c...

OSV-2026-717 Stack-use-after-scope in enter_block_callback

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=511831392 Crash type: Stack-use-after-scope READ 4 Crash state: enterblockcallback mdprocessallblocks mdparse...

Parse Server 竞争条件问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were vulnerabilities due to concurrency issues in versions of Parse Server prior to 8.6.76 and 9.9.0-alpha.2. These vulnerabilities stemmed from concurrency...

ip-address 跨站脚本漏洞

ip-address is a JavaScript library developed by Beau Gunderson, designed for verifying and manipulating IPv4 and IPv6 addresses. Versions prior to 10.1.1 of ip-address had a cross-site scripting vulnerability. This vulnerability stemmed from the Address6.group and Address6.link methods not proper...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

Allocation of Resources Without Limits or Throttling

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the...

CVE-2026-8292

A security vulnerability has been detected in Open5GS up to 2.7.7. The affected element is the function yuarelparse in the library /lib/sbi/conv.c of the component NRF. Such manipulation of the argument hnrf-uri leads to denial of service. The attack may be performed from remote. The exploit has...

CVE-2026-8292 Open5GS NRF conv.c yuarel_parse denial of service

A security vulnerability has been detected in Open5GS up to 2.7.7. The affected element is the function yuarelparse in the library /lib/sbi/conv.c of the component NRF. Such manipulation of the argument hnrf-uri leads to denial of service. The attack may be performed from remote. The exploit has...

CVE-2026-8292

Open5GS up to 2.7.7 contains a vulnerability in NRF: the yuarel_parse function in /lib/sbi/conv.c can be triggered by manipulating hnrf-uri, causing denial of service. The issue is exploitable remotely and public exploits are disclosed; Open5GS was informed via an issue but has not responded. No ...