Astra Linux - уязвимость в git

Git is a version control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker could create a local repository in such a way that, when cloned, arbitrary code would be executed during the cloning process. This issue has been fixed in versions 2.45.1,...

EUVD-2026-28552

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

CVE-2026-40931 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

CVE-2026-29179

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access...

BIT-DISCOURSE-2026-33423 Discourse staff can modify any user's group notification level

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, staff can modify any user's group notification level. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available...

BIT-DISCOURSE-2026-27740 Discourse has Stored XSS in AI Triage Automation

Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have a cross-site scripting vulnerability that arises because the system trusts the raw output from an AI Large Language Model LLM and renders it using htmlSafe in the Review Queue interface withou...

CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the...

CVE-2026-30976

Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files containing API keys and database credentials, Windows...

CVE-2026-33174 Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when serving files through Active Storage's proxy delivery mode, the proxy controller loads the entire requested byte range into memory before sending it. A request...

UBUNTU-CVE-2026-25796

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in ReadSTEGANOImage coders/stegano.c, the watermark Image object is not freed on three early-return paths, resulting in a definite memory leak 13.5KB+ per...

CVE-2026-23740

A flaw was found in Asterisk. When the astcoredumper writes its gdb init and output files to a world-writable directory, a local attacker with write permissions to that directory can exploit this vulnerability. By manipulating the gdb init file and output paths, the attacker can cause the system ...

UBUNTU-CVE-2025-66035

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential...

CVE-2025-64325 Emby Server is Vulnerable to Remote Code Execution Through XSS in Admin Dashboard

Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has...

EUVD-2025-34454

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions prior to 16.0.92 for FreePBX 16 and versions prior to 17.0.6 for FreePBX 17, the Endpoint Manager module contains authenticated SQL injection vulnerabilities affecting multiple parameters in the...

Zimbra Collaboration Server 9.x < 9.0.0 Patch 39, 10.0.x < 10.0.13, 10.1.x < 10.1.5 XSS

According to its self-reported version number, Zimbra Collaboration Server is affected by the following vulnerability including:A stored cross-site scripting XSS vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML. Using a specifically crafted email, a attacker...

CVE-2025-34197 Vasion Print (formerly PrinterLogic) Undocumented Local Account with Hardcoded Password and Passwordless sudo

Vasion Print formerly PrinterLogic Virtual Appliance Host versions prior to 22.0.951, Application prior to 20.0.2368 VA and SaaS deployments contain an undocumented local user account named ubuntu with a preset password and a sudoers entry granting that account passwordless root privileges ubuntu...

Linux Distros Unpatched Vulnerability : CVE-2022-3030

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3...

Linux Distros Unpatched Vulnerability : CVE-2022-2227

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a...

AZL-65333 CVE-2025-53906 affecting package vim for versions less than 9.1.1552-1

Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successful...

ALPINE-CVE-2025-29768

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim...