Integer Underflow (Wrap or Wraparound)

Overview Affected versions of this package are vulnerable to Integer Underflow Wrap or Wraparound in the parsemessage function when the NegoEx mechanism is registered in /etc/gss/mech. An attacker can cause process termination by sending specially crafted requests with a short headerlen that...

MIT Kerberos 代码问题漏洞

MIT Kerberos is a software used by the Massachusetts Institute of Technology MIT for authentication in network clusters. As a network authentication protocol, its design goal is to provide robust authentication services for client/server applications through a key system. Prior to version 5.1.2.3...

CLSA-2026-1777306907 runc: Fix of CVE-2026-25679

Rebuild with Go 1.25.8 to fix Go standard library CVE - CVE-2026-25679: reject invalid IPv6 host literals in net/url.Parse to prevent URL validation bypass...

CLSA-2026-1777059908 binutils: Fix of 4 CVEs

CVE-2022-47673: fix out-of-bounds reads in parsemodule bfd/vms-alpha.c, combined backport of upstream commits c9178f28, 942fa4fb, 77c225bd, 65cf035b and c093f5ee patch also covers CVE-2023-25584 - CVE-2022-47695: fix segfault in objdump comparesymbols on synthetic plt symbols - CVE-2022-47696:...

CVE-2026-42044

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

CVE-2026-42044

Axios versions 1.0.0 through before 1.15.2 are affected by a Prototype Pollution Gadget in the parseReviver path used by the default transformResponse (lib/defaults/index.js). A polluted Object.prototype can be leveraged to surgically modify JSON API responses, potentially enabling privilege esca...

DEBIAN-CVE-2026-31559

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix missing NULL checks for kstrdup 1. Replace "offindnodebypath"/"" with "ofroot" to avoid multiple calls to "ofnodeput". 2. Fix a potential kernel oops during early boot when memory allocation fails while parsing CPU...

SUSE-SU-2026:1618-1 Security update for dnsdist

This update for dnsdist fixes the following issues: Update to version 1.9.12. - https://www.dnsdist.org/changelog.htmlchange-1.9.12 Security issues fixed: - CVE-2026-0396: crafted DNS queries triggering domain-based dynamic rules can lead to HTML injection in the web dashboard bsc1261236. -...

CLSA-2026-1777029448 containernetworking-plugins: Fix of CVE-2026-25679

rebuild with newer golang version 1.25.7-1.el96.tuxcare.els2 to fix the following CVE - CVE-2026-25679: reject IPv6 literals not at the start of the host subcomponent in net/url.Parse to prevent URL authority validation bypass...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation Upgrade github.com/binwiederhier/ntfy/v2/server to version 2.21.0 or...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation Upgrade heckel.io/ntfy/v2/server to version 2.21.0 or higher. Reference...

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions of Axios from 1.0.0 to 1.15.2 had security vulnerabilities. These vulnerabilities stemmed from the use of the transformResponse function during JSON parsing, where the parseReviver function from the merge configuration object was...

UBUNTU-CVE-2026-2708

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker...

CVE-2026-2708

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker...

EUVD-2026-25232

An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function...

ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function

An issue in Ntfy ntfy.sh before v.2.22.0 allows a remote attacker to execute arbitrary code via the parseActions function...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

CLSA-2026-1776963378 binutils: Fix of 8 CVEs

CVE-2022-47007: fix memory leak in stabdemanglev3arg - CVE-2022-47008: fix memory leak in maketempdir and maketempname - CVE-2022-47011: fix memory leak in parsestabstructfields - CVE-2022-47010: fix memory leak in prfunctiontype - CVE-2022-48063: fix excessive memory allocation in...

CVE-2026-39087

ntfy before 2.22.0 allows SSRF because of an unanchored regular expression...

ntfy 代码注入漏洞

NTFY is a notification service system developed by Philipp Heckel, designed to enable cross-device message delivery through the publish-subscribe mechanism. Versions of NTFY prior to version 2.21 contained a code injection vulnerability. This vulnerability stemmed from issues with the parseAction...