Allocation of Resources Without Limits or Throttling

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of a frame count limit in the loadbase64 function when processing video/jpeg...

GHSA-PQ5C-RJHQ-QP7P vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing

Summary The VideoMediaIO.loadbase64 method at vllm/multimodal/media/video.py:51-62 splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The numframes parameter default: 32, which is enforced by the loadbytes code path at line 47-48, is...

CVE-2026-28797 RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In versions 0.24.0 and prior, a Server-Side Template Injection SSTI vulnerability exists in RAGFlow's Agent workflow Text Processing StringTransform and Message components. These components use Python's jinja2.Template unsandbox...

CVE-2026-28797 RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In versions 0.24.0 and prior, a Server-Side Template Injection SSTI vulnerability exists in RAGFlow's Agent workflow Text Processing StringTransform and Message components. These components use Python's jinja2.Template unsandbox...

CVE-2026-28797

RAGFlow (open-source Retrieval-Augmented Generation engine) is affected in versions ≤0.24.0 by a Server-Side Template Injection (SSTI) in the Agent workflow Text Processing (StringTransform) and Message components. The vulnerability arises from rendering user-supplied templates with Python’s jinj...

CVE-2026-35559

Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations. To remediate this issue, users should upgrade to version 2.1.0...

CVE-2026-35559 Out-of-bounds write in query processing components in Amazon Athena ODBC driver

Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations. To remediate this issue, users should upgrade to version 2.1.0...

CVE-2026-35559

CVE-2026-35559 affects the Amazon Athena ODBC driver. The issue is an out-of-bounds write in the driver’s query processing components prior to version 2.1.0.0, which could crash the driver when processing specially crafted data during queries. Remediation: upgrade to version 2.1.0.0 or later. If ...

UBUNTU-CVE-2026-3184

A flaw was found in util-linux. Improper hostname canonicalization in the login1 utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAMRHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing...

CVE-2026-28373

The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem...

[SECURITY] Fedora 42 Update: gstreamer1-vaapi-1.26.11-1.fc42

A collection of GStreamer plugins to let you make use of VA API video acceleration from GStreamer applications. Includes elements for video decoding, display, encoding and post-processing using VA API subject to hardware limitations...

[SECURITY] Fedora 42 Update: gstreamer1-plugins-base-1.26.11-1.fc42

GStreamer is a streaming media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related. Its plugin-based architecture means that new data types ...

CVE-2026-23441

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5eipsecaso struct for each PF, which contains a shared DMA-mapped context...

CVE-2026-34743

A flaw was found in XZ Utils. When the lzmaindexdecoder function processes an empty index, and a subsequent lzmaindexappend operation is performed, insufficient memory is allocated. This can lead to a buffer overflow, potentially causing a denial of service DoS for affected systems...

OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS

Summary Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Shipped v2026.3.28 image processing could fail open on oversized pixel counts and allow decompression-bomb DoS, an availabili...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the image pixel-limit guard failing to properly restrict oversized pixel counts during image processing. An attacker can exhaus...

Chromium: CVE-2026-5272 Heap buffer overflow in GPU

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-28373

The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can write arbitrary content to any path on the victim's filesystem...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the improper restoration of writable and soft dirty bits during batch processing, potentially...

PT-2026-30218

Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations. To remediate this issue, users should upgrade to version 2.1.0...