84 matches found
CVE-2026-53655
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...
SUSE CVE-2026-41648
Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when...
CVE-2026-41648 Incus: Unbounded YAML Metadata Decode via Parsing
Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when...
Incus 代码问题漏洞
Incus is a system container and virtual machine manager developed by LXC. Versions of Incus prior to 7.0.0 contained code vulnerabilities. These vulnerabilities stemmed from the backup.GetInfo function’s trust inlining backup configurations, which allowed valid, inline configurations along with...
Zammad 访问控制错误漏洞
Zammad is a ticketing management software developed by the German company Zammad. Versions of Zammad prior to 7.0.1 and 6.5.4 contained an access control vulnerability. This vulnerability stemmed from unverified attackers being able to access the “getting started” endpoint, potentially leading to...
EUVD-2026-19837
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's...
ChurchCRM SQL注入漏洞
ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 had a SQL injection vulnerability. This vulnerability stemmed from insufficient cleaning and escaping of Field parameters in the GroupPropsFormRowOps.php file, which could lead to SQL injection...
PT-2026-30943
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user ...
CVE-2026-31932
CVE-2026-31932 affects Suricata (network IDS/IPS/NSM). The issue is described as inefficiency (quadratic complexity) in KRB5 buffering that can lead to performance degradation. Affected versions are prior to 7.0.15 and 8.0.4, with a patch applying in 7.0.15 and 8.0.4. CVSS:3.1 base score 7.5 (HIG...
Suricata 安全漏洞
Suricata is a network IDS, IPS, and NSM engine developed by the Open Information Security Foundation. Versions of Suricata prior to 7.0.15 contained security vulnerabilities, which were caused by inefficient DCERPC buffering, potentially leading to performance degradation...
CVE-2026-33526 Squid vulnerable to Denial of Service in ICP Request handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP...
CVE-2026-32748 Squid has Denial of Service in ICP Response handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable...
EUVD-2026-16056
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable...
SUSE CVE-2023-43637
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" which will always return "foobarfoobarfoobarfoobarfoobarfo...
CVE-2026-32111
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form beta feature accepts a user-supplied haurl and makes a server-side HTTP request to haurl/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network...
AVideo 操作系统命令注入漏洞
AVideo is an open-source broadcast network creation tool developed by the World Wide Broadcast Network. Prior to version 7.0 of AVideo, there was a vulnerability related to operating system command injection. This vulnerability allowed unauthenticated attackers to execute arbitrary operating syst...
CVE-2023-43637
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" which will always return "foobarfoobarfoobarfoobarfoobarfo...
OESA-2025-2839 redis6 security update
Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing se...
Fortra GoAnywhere MFT 安全漏洞
Fortra GoAnywhere MFT is a file transfer software from Fortra, Inc. A security vulnerability exists in Fortra GoAnywhere MFT versions prior to 7.9.0, which stems from improper access control of the SFTP service, and could result in a Web user logging in with an SSH key...
HCLTech DRAGON 安全漏洞
HCLTech DRAGON is a data retention / archiving / mass data storage and retrieval solution from HCL Corporation, USA. A security vulnerability exists in HCLTech DRAGON versions prior to 7.6.0 that stems from the API not enforcing a request number or size limit, which could lead to remote execution...