CVE-2026-22687

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass...

Cosign verification accepts any valid Rekor entry under certain conditions

Impact A Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's...

BIT-GHOST-2026-22594 Ghost has Staff 2FA bypass

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0...

Security update for libtasn1

This update for libtasn1 fixes the following issues: CVE-2025-13151: stack-based buffer overflow in asn1expendoctetstring bsc1256341. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run t...

SUSE CVE-2026-22703

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...

CLSA-2026-1768210674 Fix CVE(s): CVE-2025-58436

SECURITY UPDATE: Possible DoS attack caused by a slow client communication - debian/patches/CVE-2025-58436.patch: fix unresponsive cupsd process caused by a slow client - CVE-2025-58436...

Important: Red Hat Security Advisory: wireshark security update

An update for wireshark is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available f...

Important: podman security update

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fixes: golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to...

Pixel Update Bulletin—January 2026Stay organized with collectionsSave and categorize content based on your preferences.

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices Google devices. For Google devices, security patch levels of 2026-01-05 or later address all issues in this bulletin and all issues in the January 2026 Android...

CVE-2025-15506

A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has...

CVE-2026-0822

A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function jstypedarraysort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The...

EUVD-2026-1846

A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function jstypedarraysort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The...

CVE-2026-22773

vLLM is an inference and serving engine for large language models LLMs. In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimensi...

CVE-2026-22705

RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature...

CVE-2026-22777

CVE-2026-22777 concerns ComfyUI-Manager, an extension for ComfyUI. A CRLF injection vulnerability exists in the configuration handling where an attacker can inject special characters into HTTP query parameters to add arbitrary values to the config.ini, potentially tampering with security settings...

CVE-2026-22703 Cosign verification accepts any valid Rekor entry under certain conditions

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...

CVE-2026-22688

WeKnora is vulnerable to a command-injection in MCP stdio settings (stdio_config.command/args) that can cause the server to execute subprocesses when a user is authenticated. Affected: WeKnora prior to v0.2.5; patched in v0.2.5. The issue is triggered via MCP stdio configuration values and has be...

CVE-2026-22687 WeKnora vulnerable to SQL Injection

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt‑based bypass...

CVE-2026-22589 Spree API has Unauthenticated IDOR - Guest Address

Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an unauthenticated attacker to access guest address information without...

CVE-2026-22594

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0...