CVE-2026-42245 net-imap: Quadratic complexity when reading response literals

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...

CVE-2026-42245 net-imap: Quadratic complexity when reading response literals

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...

EUVD-2026-28923

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are...

OESA-2026-2251 golang security update

. Security Fixes: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.CVE-2026-27140 tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing...

OESA-2026-2248 golang security update

. Security Fixes: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.CVE-2026-27140 Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a...

Net::IMAP 安全漏洞

Net::IMAP is a Ruby client API for the IMAP message access protocol, developed by Ruby Open Source. Versions of Net::IMAP prior to 0.4.24, 0.5.14, and 0.6.4 contained security vulnerabilities. These vulnerabilities stemmed from the use of ResponseReader, which had a quadratic time complexity when...

CVE-2026-42451

Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting XSS vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser wi...

EUVD-2026-28861

Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting XSS vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser wi...

CVE-2026-42451 Grimmory: Stored XSS via Malicious EPUB Enables Session Token Theft

Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting XSS vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser wi...

CVE-2026-42451 Grimmory: Stored XSS via Malicious EPUB Enables Session Token Theft

Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting XSS vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser wi...

CVE-2026-42451

Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting XSS vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser wi...

UBUNTU-CVE-2026-43376

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using callrcu for oplockinfo ksmbd currently frees oplockinfo immediately using kfree, even though it is accessed under RCU read-side critical sections in places like opinfoget and procshowfiles. Sinc...

BIT-JRE-2024-25062

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free...

PT-2026-38830

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free...

PT-2026-39217

Name of the Vulnerable Software and Affected Versions Grimmory versions prior to 2.3.1 Description A stored cross-site scripting XSS issue in the browser-based EPUB reader allows an attacker to embed arbitrary JavaScript within a crafted EPUB file. When a user opens the affected book, the script...

Grimmory 跨站脚本漏洞

Grimmory is an open-source e-book management software developed by Grimmory. Versions of Grimmory prior to 2.3.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the browser EPUB reader, allowing attackers to embed arbitrary JavaScript in specially crafted EPUB file...

Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers

Summary The public RSS/Atom feed at /rss renders two attacker-controlled surfaces without HTML escaping. Tag names flow through fmt.AppendfrenderedContent, "%s", tag.Name at internal/service/common/common.go:120, and the Markdown renderer at internal/util/md/md.go does not set the html.SkipHTML...

CVE-2026-43272

A flaw was found in the Linux kernel's ring-buffer component. This vulnerability allows a local user to potentially cause a denial of service. The issue occurs because a pointer in the rbmetavalidateevents function is not properly initialized, and its dereference during a reader page validation...

Unity Linux 20.1070a Security Update: osbuild-composer (UTSA-2026-016489)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016489 advisory. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large...

GHSA-2V93-VP82-CJV8 Velocidex Velociraptor has an Incorrect Authorization issue

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...