PT-2026-42038

Summary The / nuxt island/ endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash .json was actually issued for those inputs by . The hash is computed and embedded client-side but never validated server-side, ...

CVE-2026-44471

gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries...

UBUNTU-CVE-2026-44471

gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries...

nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite

The npm package "tar" aka node-tar has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted...