256845 matches found
BIT-PYTHON-2026-12003 CPython >3.11 Insecure Input Validation resulting in privilege escalation
To allow builds of Python to be run from an in-tree layout rather than an installed file layout, the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python...
BIT-LIBPYTHON-2026-12003 CPython >3.11 Insecure Input Validation resulting in privilege escalation
To allow builds of Python to be run from an in-tree layout rather than an installed file layout, the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python...
CVE-2026-50015
A flaw was found in pnpm. An attacker can exploit this by contributing a malicious patch file through a pull request. During the pnpm install process, the patch application pipeline fails to validate file paths extracted from these patch files. This allows the attacker to write or delete arbitrar...
CVE-2026-43867
The CVE concerns Apache Camel’s PQC component where AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() Base64-decodes and deserializes persisted KeyMetadata via a raw java.io.ObjectInputStream.readObject() without an ObjectInputFilter or class allow-list. A user who can write to the confi...
EUVD-2026-41853
Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata reads that metadata back from the...
CVE-2026-43867 Apache Camel: Camel-PQC: The AWS Secrets Manager key-lifecycle manager deserializes persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter
Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata reads that metadata back from the...
Important: Red Hat Security Advisory: grafana-pcp security update
An update for grafana-pcp is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...
golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname for example, xn--example-.com returns example.com instead of an error. Applications that validate the ASCII form then convert to Unicode may grant acce...
kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation
A flaw was found in the Linux kernel. A use-after-free vulnerability exists in the traffic control actct path when it is incorrectly configured with non-ingress egress qdiscs queueing disciplines. This can allow a local user with specific privileges to trigger a kernel crash, leading to a denial ...
Important: Red Hat Security Advisory: grafana security update
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...
Important: Red Hat Security Advisory: grafana-pcp security update
An update for grafana-pcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...
golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname for example, xn--example-.com returns example.com instead of an error. Applications that validate the ASCII form then convert to Unicode may grant acce...
Important: Red Hat Security Advisory: grafana-pcp security update
An update for grafana-pcp is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...
golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
A flaw was found in golang.org/x/net/idna. ToASCII and ToUnicode incorrectly accept Punycode-encoded labels that decode to an ASCII-only hostname for example, xn--example-.com returns example.com instead of an error. Applications that validate the ASCII form then convert to Unicode may grant acce...
Important: Red Hat Security Advisory: grafana security update
An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...
Harbor <=1.82.0 - Privilege Escalation
Harbor 1.7.0 through 1.8.2 is susceptible to privilege escalation via core/api/user.go, which allows allows non-admin users to create admin accounts via the POST /api/users API when Harbor is setup with DB as an authentication backend and allows user to do self-registration. id: CVE-2019-16097...
Acmailer - Improper Access Control to OS Command Injection
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified...
Ninja Forms < 3.6.26 - Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin id: CVE-2023-37979 info: name: Ninja Forms 3.6.26 - Cross-Site Scripting author: r3Y3r53 severity:...
CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting
Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component. id: CVE-2024-31839 info: name: CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting author: riteshs4hu severity:...
DELMIA Apriso - Broken Access Control
DELMIA Apriso Release 2020 through Release 2025 contains a broken access control vulnerability caused by missing authorization, letting attackers gain privileged access to the application, exploit requires no special conditions. id: CVE-2025-6205 info: name: DELMIA Apriso - Broken Access Control...