Important: containerd

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

RockyLinux 8 : osbuild-composer (RLSA-2025:7967)

The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:7967 advisory. golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing CVE-2025-30204 Tenable has extracted the preceding description block directly from...

RockyLinux 10 : osbuild-composer (RLSA-2026:3752)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:3752 advisory. crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-61729 golang: archive/zip: Excessive CPU...

Astra Linux - уязвимость в netcdf

A issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxmlparsestr performs incorrect memory handling during the parsing of crafted XML files writing outside of a memory region created by mmap...

RHEL 9 : skopeo (RHSA-2026:9098)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:9098 advisory. The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and...

USN-8154-2 python-django vulnerabilities

USN-8154-1 fixed vulnerabilities in Django. This update provides the corresponding updates for CVE-2026-33033 and CVE-2026-4292 in Ubuntu 14.04 LTS and Ubuntu 16.04 LTS, and CVE-2026-4277 in Ubuntu 16.04 LTS. Original advisory details: Seokchan Yoon discovered that Django incorrectly handled...

CLSA-2026-1773314910 git-lfs: Fix of 3 CVEs

rebuild with newer golang version 1.22.9-1.el92.tuxcare.els6 to fix the following CVE - CVE-2025-61726: limit parsed URL query parameters to mitigate excessive memory consumption during form parsing - CVE-2025-68121: fix TLS session resumption bypass by preventing shared auto-rotated ticket keys...

EulerOS 2.0 SP13 : golang (EulerOS-SA-2026-1240)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a respon...

RLSA-2026:3035 Important: grafana-pcp security update

The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption v...

Linux Distros Unpatched Vulnerability : CVE-2026-27025

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes an...

Security update for vexctl

This update for vexctl fixes the following issues: Update to version 0.4.1+git78.f951e3a: CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2. bsc1239186 CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in...

macOS 14.x < 14.8.4 Multiple Vulnerabilities (126350)

The remote host is running a version of macOS / Mac OS X that is 14.x prior to 14.8.4. It is, therefore, affected by multiple vulnerabilities: - A race condition was addressed with improved handling of symbolic links. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, iOS 18.7.5 and...

USN-8022-1: Expat vulnerabilities

It was discovered that Expat incorrectly handled memory when parsing certain XML files. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 25.10. CVE-2025-59375 It was discovered that Expat incorrectly handled the initialization of...

SUSE-SU-2026:20089-1 Security update for alloy

This update for alloy fixes the following issues: Upgrade to version 1.12.1. Security issues fixed: - CVE-2025-47911: golang.org/x/net/html: quadratic complexity algorithms used when parsing untrusted HTML documents bsc1251509. - CVE-2025-58190: golang.org/x/net/html: excessive memory consumption...

MiracleLinux 9 : grafana-10.2.6-9.el9_5 (AXSA:2025-9818:04)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-9818:04 advisory. golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing CVE-2025-30204 Tenable has extracted the preceding description block directly...

CVE-2019-16748

In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignatureex in wolfcrypt/src/asn.c...

Important: amazon-ssm-agent

Issue Overview: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. CVE-2025-22874 Proxy-Authorization and Proxy-Authenticate headers...

OESA-2025-2827 golang security update

. Security Fixes: The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses...

Amazon Linux 2 : cni-plugins, --advisory ALAS2-2025-3078 (ALAS-2025-3078)

The version of cni-plugins installed on the remote host is prior to 1.7.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3078 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6...

Important: ecs-init

Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...