CVE-2026-31817

A flaw was found in OliveTin. When the saveLogs feature is enabled, an attacker can exploit a directory traversal vulnerability by manipulating the UniqueTrackingId field in the StartAction API request. This allows the attacker to write files to arbitrary locations on the filesystem, potentially...

CVE-2026-27137

A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly...

CVE-2025-69651

A flaw was found in binutils. An attacker could exploit this vulnerability by providing a crafted Executable and Linkable Format ELF binary with malformed relocation or symbol data. Processing this malicious binary leads to an invalid pointer free, which triggers memory corruption checks and caus...

CVE-2025-69645

A flaw was found in binutils, specifically in the objdump utility. A local attacker can exploit this vulnerability by providing a specially crafted binary file containing malformed DWARF Debugging With Attributed Record Formats debug information. This can lead to a logic error during the processi...

CVE-2026-28348

A flaw was found in lxmlhtmlclean. The hassneakyjavascript method incorrectly strips backslashes before checking for dangerous CSS keywords. This allows CSS Unicode escape sequences to bypass @import and expression filters. A remote attacker could exploit this to achieve external CSS loading or...

CVE-2026-29054

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. A remote unauthenticated client can exploit a case sensitivity vulnerability in how Traefik processes HTTP/1.1 requests. By using lowercase tokens in the Connection header, an attacker can bypass security protections, leading t...

CVE-2026-25048

A flaw was found in xgrammar, an open-source library for structured generation. This vulnerability allows an attacker to trigger a segmentation fault, causing the program to crash and resulting in a Denial of Service DoS. The issue occurs due to improper handling of multi-level nested syntax...

CVE-2026-27141

A flaw was found in golang.org/x/net/http2. A remote attacker can exploit this vulnerability by sending specially crafted HTTP/2 frames, which are data packets used in the HTTP/2 protocol. Due to a missing check for null values, processing these specific frames types 0x0a through 0x0f can cause t...

CVE-2026-25953

A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol. This use-after-free vulnerability occurs in the xfAppUpdateWindowFromSurface function where a bare pointer to a window is obtained without proper lifetime protection. A remote attacker could exploit this by...

CVE-2026-3145

A flaw was found in libvips. A local attacker can exploit a vulnerability in the vipsforeignloadmatrixfileisa and vipsforeignloadmatrixheader functions by executing an empty but very large input. This can lead to memory corruption, potentially causing a denial of service or other impacts...

CVE-2026-25882

A flaw was found in Fiber, an Express-inspired web framework for Go. This denial of service DoS vulnerability allows a remote attacker to crash the application. By sending requests to routes containing more than 30 parameters, the attacker can exploit missing validation during route registration...

CVE-2026-27586

A flaw was found in Caddy, an extensible server platform. Two errors in the ClientAuthentication.provision function can cause mutual Transport Layer Security mTLS client certificate authentication to silently fail open. This occurs when a Certificate Authority CA certificate file is missing,...

CVE-2026-1229

A flaw was found in the github.com/cloudflare/circl/ecc/p384 package. The CombinedMult function, which is part of the elliptic curve cryptography ECC implementation for the secp384r1 curve, generates an incorrect value when provided with specific inputs. This can lead to incorrect cryptographic...

CVE-2025-61144

A denial of service flaw has been found in libtiff. This stack-based buffer overflow occurs in tiffcrop part of libtiff within the function readSeparateStripsIntoBuffer. When processing a malformed TIFF directory e.g., improper tags/order, missing StripByteCounts, the function overflows a...

CVE-2025-61145

A denial of service flaw via segmentation fault has been found in libtiff. This segmentation fault vulnerability is caused by accessing invalid or corrupted memory addresses during memory deallocation operations. The root issue lies in the cleanup logic of the main function where the program...

CVE-2026-2968

A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mgchacha20poly1305decrypt of the file /src/tlschacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be...

CVE-2026-2045

A flaw was found in GIMP. The specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the conte...

CVE-2026-2818

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only. Mitigation Mitigation for this issue is either not available or...

CVE-2026-2817

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of...

CVE-2026-26203

PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked...