796 matches found
CVE-2026-48819
CVE-2026-48819 affects the Hey API openapi-ts code generator. Prior to version 0.97.3, the generated template in dist/clients/core/params.ts copies a runtime template into SDKs (params.gen.ts). The function buildClientParams writes unknown keys with slot prefixes (notably $query_) directly into s...
CVE-2026-48819 Hey API: `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key
Hey API is an ecosystem for turning API specifications into production-ready code. Prior to 0.97.3, dist/clients/core/params.ts ships a runtime template copied into generated SDKs as params.gen.ts, and buildClientParams writes unknown slot-prefixed keys such as $body, $headers, $path, and $query...
CVE-2026-49212
Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier props vs propsFromParent, or request contex...
CVE-2026-49212 Symfony UX: LiveComponentHydrator HMAC checksum lacks component and slot binding
Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier props vs propsFromParent, or request contex...
CVE-2026-49212
The CVE-2026-49212 issue affects Symfony UX LiveComponent: the HMAC used to protect read-only props and the propsFromParent blob did not bind to component name, slot, or request context, allowing a signed blob for one component/slot to be replayed on another and potentially set a read-only prop. ...
CVE-2026-44434
Quicly is an IETF QUIC protocol implementation intended primarily for use within the H2O HTTP server. Prior to commit dccf5d4, Quicly was vulnerable to stateless reset injection through lack of packet entry validation. The QUIC protocol is designed to withstand packet injection attacks, once the...
MAL-2026-10540 Malicious code in postcss-processor-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0253c4f750443ba47f0ab61347fa85a1659b847190a85757575e904966636da On require, src/index.js loads src/token-loader.js, which reads data/design-tokens.json, XOR-decodes the base64 blobs under encrypted.chunks using a...
OESA-2026-2898 graphite2 security update
Graphite is a system that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors. A smart font contains not only letter shapes but also additional instructions indicating how to combine and position the letters in complex ways. Security Fixes:...
UBUNTU-CVE-2026-53359
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad "KVM: x86: Fix shadow paging use-after-free due to unexpected GFN" fixed a shadow paging mismatch between stored and computed GFNs; the bug...
CVE-2026-53359 KVM: x86: Fix shadow paging use-after-free due to unexpected role
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad "KVM: x86: Fix shadow paging use-after-free due to unexpected GFN" fixed a shadow paging mismatch between stored and computed GFNs; the bug...
PT-2026-55206
Name of the Vulnerable Software and Affected Versions @hey-api/openapi-ts versions prior to 0.97.3 Description An issue exists in the dist/clients/core/params.ts file, which is used as a runtime template in generated SDKs. The buildClientParams function fails to validate unknown keys that start...
rpm: heap buffer overflow in NDB slot table parsing
No description is available for this CVE...
CVE-2026-53324
In the Linux kernel, the following vulnerability has been resolved: net: mana: Use pciname for debugfs directory naming Use pcinamepdev for the per-device debugfs directory instead of hardcoded "0" for PFs and pcislotnamepdev-slot for VFs. The previous approach had two issues: 1. pcislotname...
Linux Distros Unpatched Vulnerability : CVE-2026-53324
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - net: mana: Use pciname for debugfs directory naming Use pcinamepdev for the per-device debugfs directory instead of hardcoded 0 for PFs and pcislotnamepdev-slot...
SUSE CVE-2026-53324
In the Linux kernel, the following vulnerability has been resolved: net: mana: Use pciname for debugfs directory naming Use pcinamepdev for the per-device debugfs directory instead of hardcoded "0" for PFs and pcislotnamepdev-slot for VFs. The previous approach had two issues: 1. pcislotname...
DEBIAN-CVE-2026-53324
In the Linux kernel, the following vulnerability has been resolved: net: mana: Use pciname for debugfs directory naming Use pcinamepdev for the per-device debugfs directory instead of hardcoded "0" for PFs and pcislotnamepdev-slot for VFs. The previous approach had two issues: 1. pcislotname...
Malicious code in ts-einkle-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b Package is published as ts-einkle-slot but its tarball contents source, README, LICENCE, package.json author/repository/description are copied verbat...
MAL-2026-6525 Malicious code in ts-einkle-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b Package is published as ts-einkle-slot but its tarball contents source, README, LICENCE, package.json author/repository/description are copied verbat...
CVE-2026-53277
A flaw was found in the Kernel-based Virtual Machine KVM component of the Linux kernel on arm64 architectures. This vulnerability occurs because certain page table walk operations, used in fault injection and Address Translation AT emulation, do not properly acquire a Sleepable Read-Copy Update...
SUSE CVE-2026-52969
In the Linux kernel, the following vulnerability has been resolved: KVM: Reject wrapped offset in kvmresetdirtygfn kvmresetdirtygfn guards the gfn range with if !memslot || offset + flsmask = memslot-npages return; but offset is u64 and the addition is unchecked. The check can be silently bypasse...