CVE-2026-32811 Heimdall: Path received via Envoy gRPC corrupted when containing query string

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits t...

CVE-2026-32811 Heimdall: Path received via Envoy gRPC corrupted when containing query string

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. When using Heimdall in envoy gRPC decision API mode with versions 0.7.0-alpha through 0.17.10, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. Envoy splits t...

CVE-2026-32758

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler http/resource.go. The destination path in resourcePatchHandler is...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the xtIDLETIMER module allowing rev0 rules to reuse ALARM type timer labels. This could lead to a...

CVE-2026-32758

The CVE-2026-32758 entry concerns File Browser, where versions 2.61.2 and earlier are vulnerable to Path Traversal via the resourcePatchHandler in http/resource.go. The flaw allows an authenticated user with Create or Rename permissions to bypass deny rules by injecting .. sequences in the destin...

CVE-2026-32758

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler http/resource.go. The destination path in resourcePatchHandler is...

CVE-2026-32758 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler http/resource.go. The destination path in resourcePatchHandler is...

CVE-2026-32758 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler http/resource.go. The destination path in resourcePatchHandler is...

CVE-2026-32758 File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler http/resource.go. The destination path in resourcePatchHandler is...

[SECURITY] Fedora 43 Update: libtasn1-4.21.0-1.fc43

A library that provides Abstract Syntax Notation One ASN.1, as specified by the X.680 ITU-T recommendation parsing and structures management, and Distinguished Encoding Rules DER, as per X.690 encoding and decoding functi ons...

Heimdall: Path received via Envoy gRPC corrupted when containing query string

Summary When using heimdall in envoy gRPC decision API mode, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. The HTTP based decision API is NOT affected, and proxy mode is NOT affected either. Note: The issue can only lead to unintended acces...

Malicious code in eslint-plugin-superhuman-custom-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e50258e14acd3712854f3059d043b8c4982563ab8d401555b253702a3212279 The package eslint-plugin-superhuman-custom-rules was found to contain malicious code...

MAL-2026-1729 Malicious code in eslint-plugin-superhuman-custom-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e50258e14acd3712854f3059d043b8c4982563ab8d401555b253702a3212279 The package eslint-plugin-superhuman-custom-rules was found to contain malicious code...

EUVD-2026-12718

OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads...

CVE-2026-22175 OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers

OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads...

PT-2026-26207

Name of the Vulnerable Software and Affected Versions: gRPC-Go versions prior to 1.79.3 Description: gRPC-Go is vulnerable to an authorization bypass due to improper input validation of the HTTP/2 :path pseudo-header. The server incorrectly routes requests with missing leading slashes in the :pat...

EUVD-2025-208776

In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2 to change attributes class fchmodat2, introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2 to change a file attribute in the same fashion than chmod or fchmodat...

Stored Cross-Site Scripting (XSS)

librenms/librenms is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of the alert rule name in the Alert Rule API, which allows an attacker to inject malicious HTML code when creating or updating alert rules via the API...

CVE-2026-23241

In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr and listxattr are missing from the audit read class. Calling getxattrat or listxattrat on a file to read its extended attributes will bypass audit rules such...

CVE-2026-23241 audit: add missing syscalls to read class

In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr and listxattr are missing from the audit read class. Calling getxattrat or listxattrat on a file to read its extended attributes will bypass audit rules such...