CVE-2026-35378

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR | and AND & operation...

CVE-2026-41146

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fiojsonparse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning a...

CVE-2026-41146 facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fiojsonparse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning a...

PT-2026-34514

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR | and AND & operation...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013799)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013799 advisory. In the Linux kernel, the following vulnerability has been resolved: um: vector: Fix memory leak in vectorconfig If the return value of the umlparsevectorifspec...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013639)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013639 advisory. In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Add a length limitation for the ivrsacpihid command-line parameter The 'acpiid' buffer...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013514)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013514 advisory. In the Linux kernel, the following vulnerability has been resolved: coresight: Fix memory leak in acpibuffer-pointer There are memory leaks reported by kmemleak:...

facil.io 资源管理错误漏洞

facil.io is a C-language high-performance web application microframework developed by Bo’s individual developer. Facil.io has a resource management vulnerability; this vulnerability arises when fiojsonparse enters an infinite loop upon encountering nested JSON values that start with “i” or “I”,...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013788)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013788 advisory. In the Linux kernel, the following vulnerability has been resolved: mcb: mcb-parse: fix error handing in chameleonparsegdd If mcbdeviceregister returns error in...

uutils coreutils 安全漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils. There is a security vulnerability in uutils coreutils, which stems from a logical error in the expr function. This error causes the subexpressions within parentheses to be evaluated during the parsing phase rather...

PT-2026-34407

In the Linux kernel, the following vulnerability has been resolved: team: fix header ops type confusion with non-Ethernet ports Similar to commit 950803f72547 "bonding: fix type confusion in bond setup by slave" team has the same class of header ops type confusion. For non-Ethernet ports, team...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011066)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011066 advisory. In the Linux kernel, the following vulnerability has been resolved: um: vector: Fix memory leak in vectorconfig If the return value of the umlparsevectorifspec...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011037)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011037 advisory. In the Linux kernel, the following vulnerability has been resolved: mcb: mcb-parse: fix error handing in chameleonparsegdd If mcbdeviceregister returns error in...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

EUVD-2026-23939

NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the uriparamparse function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys an...

CLSA-2026-1776701249 libssh: Fix of CVE-2026-0968

CVE-2026-0968: sanitize input handling in sftpparselongname to prevent OOB read when processing malformed SFTP longname fields, add unit tests...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

EUVD-2026-23807

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...

CVE-2026-6618 langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...