PT-2026-41783

Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 Description The Postgres protocol parser incorrectly assumes that BIND message payloads contain a valid NUL-terminated portal name. When processing a crafted empty or unterminated...

SGLang contains two remote code execution and one path traversal vulnerability

Overview Three vulnerabilities have been discovered in the SGLang project, two enabling remote code execution RCE, and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have...

[SECURITY] Fedora 44 Update: pypy-7.3.22-2.fc44

PyPy's implementation of Python, featuring a Just-In-Time compiler on some CPU architectures, and various optimized implementations of the standard types strings, dictionaries, etc This build of PyPy has JIT-compilation enabled...

ContraFix: Agentic Vulnerability Repair Via Differential Runtime Evidence and Skill Reuse

Large language model LLM agents are increasingly used for automated vulnerability repair AVR, where repository-level reasoning enables them to inspect context and produce source-code patches. However, recent empirical results show that these agents still struggle with real-world vulnerabilities...

Fedora 44 : python-jupytext (2026-301cbbe347)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-301cbbe347 advisory. This update contains upgrades to various npm packages used during the build to address CVEs, namely: - CVE-2025-69873 ajv - CVE-2026-0540 DOMPurify ...

Fedora 43 : python-jupytext (2026-85b819b928)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-85b819b928 advisory. This update contains upgrades to various npm packages used during the build to address CVEs, namely: - CVE-2025-69873 ajv - CVE-2026-0540 DOMPurify ...

The Next Cybersecurity Challenge May Be Verifying AI Agents

AI agents are reshaping cybersecurity. Learn why verification, trusted identity standards, and runtime controls are now essential...

org.apache.doris:flink-doris-connector-2.0 (>=26.0.0 <=26.1.1), org.apache.flink:flink-examples-table_2.12 (>=2.0.0 <=2.0.1) +6 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (>=2.0.0 <=2.0.1)

org.apache.flink:flink-table-runtime MAVEN version =2.0.0, =26.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1 Source cves: CVE-2026-35194 Source advisory: OSV:GHSA-2F54-V4HM-FX73...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

com.datasqrl.flinkrunner:stdlib-json (>=0.9.0 <=0.10.1), com.datasqrl:sqrl-discovery (>=0.9.0 <=0.10.4) +17 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (=2.2.0)

org.apache.flink:flink-table-runtime MAVEN version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.flink:flink-table-runtime and may be impacted: - com.datasqrl.flinkrunner:stdlib-json =0.9.0, =0.9.0, =0.9.0, =0.9.0, =2.2.0-EXNESS-0.1...

org.apache.doris:flink-doris-connector-2.0 (>=26.0.0 <=26.1.1), org.apache.flink:flink-examples-table_2.12 (>=2.0.0 <=2.0.1) +6 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (>=2.0.0 <=2.0.1)

org.apache.flink:flink-table-runtime MAVEN version =2.0.0, =26.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1 Source cves: CVE-2026-35194 Source advisory: SNYK:JAVA-ORGAPACHEFLINK-16799797...

cn.ibizlab.plugin:ibiz-dataflow-flink (>=8.1.0.371 <=8.1.0.567.22), cn.sliew:flinkful-cli-descriptor-examples (>=1.0.2 <=1.0.7) +184 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (>=1.15.0 <=1.20.3)

org.apache.flink:flink-table-runtime MAVEN version =1.15.0, =8.1.0.371, =1.0.2, =1.0.3, =1.0.0, =1.0.2, =0.5.0, =0.5.0, =1.4.0, =1.4.0, =1.4.0, =1.0, =1.0.1 and more Source cves: CVE-2026-35194 Source advisory: OSV:GHSA-2F54-V4HM-FX73...

com.datasqrl.flinkrunner:stdlib-json (>=0.9.0-alpha1 <=0.9.0-alpha2), com.datasqrl:sqrl-discovery (>=0.9.0-alpha1 <=0.9.0-alpha2) +14 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (>=2.1.0 <=2.1.1)

org.apache.flink:flink-table-runtime MAVEN version =2.1.0, =0.9.0-alpha1, =0.9.0-alpha1, =0.9.0-alpha1, =0.9.0-alpha1, =26.0.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.1 and more Source cves: CVE-2026-35194 Source advisory: OSV:GHSA-2F54-V4HM-FX73...

cn.ibizlab.plugin:ibiz-dataflow-flink (>=8.1.0.371 <=8.1.0.567.22), cn.sliew:flinkful-cli-descriptor-examples (>=1.0.2 <=1.0.7) +184 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (>=1.15.0 <=1.20.3)

org.apache.flink:flink-table-runtime MAVEN version =1.15.0, =8.1.0.371, =1.0.2, =1.0.3, =1.0.0, =1.0.2, =0.5.0, =0.5.0, =1.4.0, =1.4.0, =1.4.0, =1.0, =1.0.1 and more Source cves: CVE-2026-35194 Source advisory: SNYK:JAVA-ORGAPACHEFLINK-16799797...

com.datasqrl.flinkrunner:datagen-connectors (=0.10.1), com.datasqrl.flinkrunner:kafka-safe-connector (>=0.9.0 <=0.10.1) +75 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-api-java (=2.2.0)

org.apache.flink:flink-table-api-java MAVEN version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.flink:flink-table-api-java and may be impacted: - com.datasqrl.flinkrunner:datagen-connectors =0.10.1 -...

com.datasqrl.flinkrunner:stdlib-json (>=0.9.0 <=0.10.1), com.datasqrl:sqrl-discovery (>=0.9.0 <=0.10.4) +17 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (=2.2.0)

org.apache.flink:flink-table-runtime MAVEN version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.flink:flink-table-runtime and may be impacted: - com.datasqrl.flinkrunner:stdlib-json =0.9.0, =0.9.0, =0.9.0, =0.9.0, =2.2.0-EXNESS-0.1...

com.datasqrl.flinkrunner:stdlib-json (>=0.9.0-alpha1 <=0.9.0-alpha2), com.datasqrl:sqrl-discovery (>=0.9.0-alpha1 <=0.9.0-alpha2) +14 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (>=2.1.0 <=2.1.1)

org.apache.flink:flink-table-runtime MAVEN version =2.1.0, =0.9.0-alpha1, =0.9.0-alpha1, =0.9.0-alpha1, =0.9.0-alpha1, =26.0.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.1 and more Source cves: CVE-2026-35194 Source advisory: SNYK:JAVA-ORGAPACHEFLINK-16799797...

[SECURITY] [DLA 4585-1] firewalld security update

Debian LTS Advisory DLA-4585-1 [email protected] https://www.debian.org/lts/security/ Andreas Henriksson May 15, 2026 https://wiki.debian.org/LTS Package : firewalld Version : 0.9.3-2+deb11u1 CVE ID : CVE-2026-4948 Debian Bug : A flaw was found in firewalld where a local unprivileged us...

nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT

Impact A malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record containing a TaggedSigned with a signature field whose byte length is not exactly 64. When the victim node's DHT verifier calls TaggedSigned::verify, execution reaches...

Security update for firewalld

This update for firewalld fixes the following issue: CVE-2026-4948: local unprivileged users can modify the runtime firewall state without proper authentication due to D-Bus setter mis-authorizations bsc1260903. Patch Instructions: To install this SUSE update use the SUSE recommended installation...