[SECURITY] Fedora 42 Update: nginx-1.30.1-1.fc42

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the image proxy process. An attacker can cause a denial of service on client systems by serving malicious SVG files from an attacker-controlled origin with a misleading Content-Ty...

Information Disclosure

Zabbix is vulnerable to an information disclosure. The vulnerability is due to the reuse of JavaScript Duktape contexts in Zabbix Server/Proxy, which allows a regular non-super administrator to leak sensitive data from hosts they are not authorized to access through shared global JavaScript...

[SECURITY] Fedora 43 Update: nginx-1.30.1-1.fc43

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

[SECURITY] Fedora 44 Update: nginx-1.30.1-1.fc44

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage...

CVE-2026-44556 Open WebUI: responses passthrough endpoint lacks access control authorization

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While...

CVE-2026-4054 SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header e.g. image/png...

CVE-2026-4054 SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header e.g. image/png...

[SECURITY] [DLA 4584-1] openssh security update

Debian LTS Advisory DLA-4584-1 [email protected] https://www.debian.org/lts/security/ Santiago Ruano Rincón May 15, 2026 https://wiki.debian.org/LTS Package : openssh Version : 1:8.4p1-5+deb11u7 CVE ID : CVE-2025-61984 CVE-2025-61985 CVE-2026-35385 CVE-2026-35386 CVE-2026-35387...

CLSA-2026-1778847162 httpd: Fix of CVE-2026-28780

CVE-2026-28780: heap-based buffer overflow in ajpmsgcheckheader in modproxyajp when proxying to a malicious AJP backend that returns an oversized response, allowing a 4-byte out-of-bounds write past the heap buffer...

CVE-2026-45184

A flaw was found in Kdenlive. This vulnerability allows an attacker to use dangerous proxy parameters when a user opens a specially crafted project file. Successful exploitation could lead to arbitrary code execution or information disclosure on the affected system...

OESA-2026-2319 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to...

OESA-2026-2317 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: Heap-based Buffer Overflow vulnerability in modproxyajp of Apache HTTP Server. If modproxyajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to modproxyajp and...

OESA-2026-2300 python-urllib3 security update

HTTP library with thread-safe connection pooling, file post support, sanity friendly, and more. Security Fixes: urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connectionfromurl.urlopen...,...

OESA-2026-2287 xdg-dbus-proxy security update

xdg-dbus-proxy is a filtering proxy for D-Bus connections. It was originally part of the flatpak project, but it has been broken out as a standalone module to facilitate using it in other contexts. Security Fixes: xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy...

OESA-2026-2286 xdg-dbus-proxy security update

xdg-dbus-proxy is a filtering proxy for D-Bus connections. It was originally part of the flatpak project, but it has been broken out as a standalone module to facilitate using it in other contexts. Security Fixes: xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy...

BIT-NGINX-GATEWAY-2026-42934 NGINX ngx_http_charset_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When charset, sourcecharset, and charsetmap and proxypass with disabled buffering "off" directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' contr...

BIT-NGINX-GATEWAY-2026-42926 NGINX ngx_http_proxy_v2_module vulnerability

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...

BIT-NGINX-2026-42934 NGINX ngx_http_charset_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When charset, sourcecharset, and charsetmap and proxypass with disabled buffering "off" directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' contr...

BIT-NGINX-2026-42926 NGINX ngx_http_proxy_v2_module vulnerability

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...