JLSEC-2026-466 Mbed TLS peer can force the FFDH shared secret into a small set of values

An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-Hellman, the other party can force the shared secret into a small set of values lack of contributor...

Malicious code in tuti-ruwet4-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 095baa3e2bf19fc4af5607035b264dd1855052239bfe77df74a7a72d4a03ba50 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2023-54651

Malicious code in bioql PyPI...

YSA-2025-02 | Yubico

A low severity issue has been identified in YubiKeys versions 5.4.1 through 5.7.3 in the FIDO CTAP PIN/UV Auth Protocol Two implementation. These YubiKey versions use the 16 byte signature length from CTAP PIN/UV Auth Protocol One during the verification step, even when the 32 byte CTAP PIN/UV Au...

Siemens SCALANCE Devices Out-of-bounds Write (CVE-2023-6129)

Issue summary: The POLY1305 MAC message authentication code implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC...

Allowing price updates once in an epoch is extremely risky and open windows to a lot of issues

Lines of code Vulnerability details Impact Protocol currently knows about how this could be an effect, since the comments to both previewDeposit and convertToShares suggest that any difference attached to this should be considered slippage, but measures are not taken to ensure that this slippage ...

Governance can cap the outflow of funds significantly preventing user redemptions

Lines of code Vulnerability details Impact The Reserve protocol always intends to allows free outflow of rToken collaterals. The redemption of rToken is allowed even when the protocol is paused. A Throttle mechanism is in place to just limit the outflow of funds from the contract. However the...

Missing checks on return data from the chainlink

Lines of code Vulnerability details Impact MED - the function of the protocol could be impacted 1. Use stale price information resulting to wrong project's balance 2. In the case of zero price, functions using price information will revert. Proof of Concept // JBPrices::priceFor at line 69 calls...

Purchased Malt and Auction Data Can Be Manipulated/Thrown Off

Handle jayjonah8 Vulnerability details Impact In Auction.sol, the purchased variable in the purchaseArbitrageTokens function can be manipulated throwing off the AuctionData and the ratio of the realCommitment vs the purchased amount. This is because "purchased" simply returns...

Use of incorrect index leads to incorrect updation of funding rates

Handle 0xRajeev Vulnerability details Impact The updateFundingRate function updates the funding rate and insurance funding rate. While the instant/new funding rates are calculated correctly, the cumulative funding rate calculation is incorrect because it is always adding the instant to 0, not the...

The vulnerability of the Libraries component in Oracle Java SE software platforms allows a perpetrator to trigger a service failure.

The vulnerability of the Libraries component in Oracle Java SE software platforms is related to lack of access control. Exploiting this vulnerability could allow an attacker to cause service interruptions using network protocols...