curl: TLS peer-verification bypass via mid-transfer ssl_config mutation

Hi all, We want to report a TLS peer-verification issue on current master. The trigger is narrow and requires a specific application usage pattern, but when it fires, a transfer that requests CURLOPTSSLVERIFYPEER=1 can reuse a TLS connection that was established with peer verification disabled...

CVE-2026-42312

pyload-ng contains a vulnerability (CVE-2026-42312) where a non-admin user with SETTINGS permission can disable TLS peer/hostname verification by setting general.ssl_verify off. The root cause is that the option is not in the ADMIN_ONLY_CORE_OPTIONS allowlist, so set_config_value() writes are all...

SUSE CVE-2026-43052

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check tdls flag in ieee80211tdlsoper When NL80211TDLSENABLELINK is called, the code only checks if the station exists but not whether it is actually a TDLS station. This allows the operation to proceed for non-TDL...

pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general", "sslverify" is not on that allowlist. Any authenticated user with the non-admin SETTINGS...

AZL-69961 CVE-2025-64434 affecting package kubevirt for versions less than 0.59.0-33

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler via verifyPeerCert, an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileg...

CVE-2025-64434

KubeVirt Vulnerability CVE-2025-64434 affects virt-handler’s peer verification (verifyPeerCert). In affected releases prior to 1.5.3 and 1.6.1, a compromised virt-handler could exploit shared credentials to impersonate virt-api and perform privileged operations against other virt-handler instance...

PT-2025-45512

Name of the Vulnerable Software and Affected Versions KubeVirt versions prior to 1.5.3 KubeVirt versions prior to 1.6.1 Description KubeVirt is a virtual machine management add-on for Kubernetes. A flaw exists in the peer verification logic within virt-handler via the verifyPeerCert function. An...

EUVD-2017-3119

Malware in sbrugna...

EUVD-2015-7871

Malware in sbrugna...

EUVD-2018-3770

Malware in sbrugna...

EUVD-2024-52172

Malicious code in bioql PyPI...

EUVD-2022-2590

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2024-53846

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design...

CVE-2021-1938

Possible assertion due to improper verification while creating and deleting the peer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music,...

ALPINE-CVE-2024-12797

Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys m...

SUSE CVE-2024-53846

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and...

CVE-2024-53846

A regression flaw was introduced into Erlang OTP's SSL application. This issue results in a server or client verifying the peer when incorrect extended key usage is presented. For example, a server will verify if a client has server auth ext key usage and vice versa...

AZL-54051 CVE-2024-53846 affecting package erlang for versions less than 26.2.5.6-1

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and...

DEBIAN-CVE-2024-53846

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and...

UBUNTU-CVE-2024-53846

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and...