Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for April 2026.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 24.0.0-IF007 and 25.0.1-IF001. These vulnerabilities have been also adressed in 24.0.1-IF007 and 25.0.0-IF004. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-43930 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-43930 Source advisory: OSV:GHSA-JPQ4-7FMQ-Q5FJ...

parse-server: MFA SMS one-time password accepted twice under concurrent login

Impact A race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.29) potentially affected by CVE-2026-43930 via parse-server (>=9.6.0-alpha.37 <=9.8.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.29 Source cves: CVE-2026-43930 Source advisory: OSV:GHSA-JPQ4-7FMQ-Q5FJ...

Race Condition

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition due to a race condition in the login process. An attacker can obtain multiple valid session tokens by...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.29) potentially affected by CVE-2026-43930 via parse-server (>=9.6.0-alpha.37 <=9.8.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.29 Source cves: CVE-2026-43930 Source advisory: SNYK:JS-PARSESERVER-16424355...

JLSEC-2026-442

In ncurses 6.1, there is a NULL pointer dereference at function ncparseentry in parseentry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character ' in name or alias field" detection...

JLSEC-2026-454 A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic....

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocesstermcap of the file tinfo/parseentry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to...

BIT-APACHE-2026-34059 Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

CLSA-2026-1777969446 binutils: Fix of 8 CVEs

CVE-2021-45078: fix heap-based buffer overflow in stabxcoffbuiltintype - CVE-2021-46174: fix buffer overflow in readsectionstabsdebugginginfo - CVE-2022-44840: fix heap buffer overflow in findsectioninset - CVE-2022-45703: fix heap buffer overflow in displaygdbindex - CVE-2022-47695: fix...

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Vulnerability Disclosure: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical...

PT-2026-37061

Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg attributes.c, svg parse strings, gf svg parse attribute...

CVE-2026-39103

GPAC contains a Buffer Overflow in the SVG attribute parsing path: src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute() that can lead to denial of service. The issue is tied to commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 (and is reflected across multiple advisories)...

UBUNTU-CVE-2026-34059

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

CVE-2026-39103

Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svgattributes.c, svgparsestrings, gfsvgparseattribute...

CVE-2026-39103

Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svgattributes.c, svgparsestrings, gfsvgparseattribute...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

DEBIAN-CVE-2025-70071

An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray...

GHSA-HJ4W-QR9J-C4CF GoBGP has an Integer Underflow Issue

A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this...

GoBGP has an Integer Underflow Issue

A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this...