PT-2026-41685

Name of the Vulnerable Software and Affected Versions Faraday versions 2.0.0 through 2.14.1 Description Faraday is an HTTP client library abstraction layer. A flaw exists where protocol-relative host override is possible when the request target is passed as a URI object instead of a String to the...

PT-2026-41783

Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 Description The Postgres protocol parser incorrectly assumes that BIND message payloads contain a valid NUL-terminated portal name. When processing a crafted empty or unterminated...

Vinyl/Varnish -- HTTP/2 parsing deficiency

Vinyl Development Team reports: A deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack request smuggling, which in turn can be used for cache poisoning, authentication bypass or possibly even information disclosure and manipulation...

Debian dsa-62801 : a2boot - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-62801 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6280-1 [email protected]...

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping

Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...

FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

...

Eternalblue-ms17-010-lab

01-EternalBlue-MS17-010-README.mdhttps://github.com/user-atta...

Malicious code in @zentrafinance/protocol-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dac3a1aa20b56dc05bd68918bf7f6148970c361a102fafcd7d75d807adc36862 The package @zentrafinance/protocol-config was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3813 Malicious code in @zentrafinance/protocol-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dac3a1aa20b56dc05bd68918bf7f6148970c361a102fafcd7d75d807adc36862 The package @zentrafinance/protocol-config was found to contain malicious code. Source: ghsa-malware...

ADR: An Agentic Detection System for Enterprise Agentic AI Security

We present the Agentic AI Detection and Response ADR system, the first large-scale, production-proven enterprise framework for securing AI agents operating through the Model Context Protocol MCP. We identify three persistent challenges in this domain: 1 limited observability -- existing Endpoint...

lwip-2026-pocs

lwip-2026-pocs Proof-of-concept exploits from the xchglabs...

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...

PT-2026-42209

Name of the Vulnerable Software and Affected Versions Boxlite versions prior to 0.9.0 Description Boxlite is a sandbox service that allows users to create lightweight virtual machines and launch OCI containers to run untrusted code. The software fails to properly enforce read-only mounts for host...

CLSA-2026-1778881024 quagga: Fix of CVE-2018-5380

CVE-2018-5380: fix BGP NOTIFY debug-print msg array over-read...

[SECURITY] Fedora 43 Update: nginx-1.30.1-1.fc43

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

[SECURITY] Fedora 44 Update: nginx-1.30.1-1.fc44

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

[SECURITY] Fedora 44 Update: perl-Net-CIDR-Lite-0.24-1.fc44

Faster alternative to Net::CIDR when merging a large number of CIDR address ranges. Works for IPv4 and IPv6 addresses...

CVE-2026-44551

Open WebUI vulnerability CVE-2026-44551: before version 0.9.0, the LDAP authentication endpoint does not validate non-empty passwords, allowing an unauthenticated Simple Bind on many LDAP servers. The LdapForm model accepts password: str without a minimum length, so an empty string can reach the ...

CVE-2026-38740

Foscam VD1 Video Doorbell before V5.3.131072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol SDP, including ICE credentials and candidates, in cleartext over network interfaces. An attacker with network visibility can...

EUVD-2026-30611

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, validateurl in backend/openwebui/retrieval/web/utils.py calls validators.ipv6ip, private=True, but the validators library does NOT implement the private keyword for IPv6 — the call...