[SECURITY] Fedora 43 Update: coturn-4.10.0-1.fc43

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

CVE-2026-41894 SiYuan: Incomplete Fix Bypass for CVE-2026-30869: Path Traversal via Double URL Encoding in `/export/` Endpoint

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check IsSensitivePath but did not address the root cause — a redundant url.PathUnescape call in serveExport. An authenticated attacker can use double URL encoding...

CLSA-2026-1777052042 sqlite: Fix of CVE-2018-8740

CVE-2018-8740: avoid a NULL pointer dereference when the sqlitemaster schema contains a corrupt CREATE TABLE AS entry...

RUSTSEC-2026-0135 Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend

Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debugquery function as Display and Debug output. For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a reprru...

RUSTSEC-2026-0111 Possible UTF-8 corruption in Diesels SQLite backend

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

Possible UTF-8 corruption in Diesels SQLite backend

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

RUSTSEC-2026-0137 Possible unaligned data access for implementations of `SqliteAggregate`

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface. To store an instance of the custom aggregate processor Diesel relied on the sqlite3aggregatecontext function provided by sqlite. This function doesn't provide any guarantees about alignment of t...

Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend

Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debugquery function as Display and Debug output. For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a reprru...

Security Bulletin: Vulnerability in SQLite affects IBM Netezza Appliance

Summary The SQLite package is used by IBM Netezza Appliance. IBM Netezza Appliance has addressed the applicable CVE CVE-2025-6965 Vulnerability Details CVEID:CVE-2025-6965 DESCRIPTION: There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed t...

CLSA-2025-1754337993 sqlite: Fix of CVE-2025-6965

CVE-2025-6965: fix memory corruption issue caused by a query where the number of aggregate terms could exceed the number of columns available...

CLSA-2025-1754336638 sqlite: Fix of CVE-2025-6965

CVE-2025-6965: fix memory corruption issue caused by a query where the number of aggregate terms could exceed the number of columns available...

CLSA-2026-1776761965 colord: Fix of CVE-2021-42523

CVE-2021-42523: fix memory leak in cddevicedbload and cdprofiledbload where sqlite3exec errormsg output was allocated but never freed...

CVE-2025-70873 affecting package sqlite for versions less than 3.44.0-3

CVE-2025-70873 affecting package sqlite for versions less than 3.44.0-3. A patched version of the package is available...

BIT-SQLITE-2025-70873

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file...

CVE-2026-35465

CVE-2026-35465 affects SecureDrop Client

CVE-2026-35465 SecureDrop Client has path injection in read_gzip_header_filename()

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine sd-app by exploiting improper...

PT-2026-33546

Name of the Vulnerable Software and Affected Versions SecureDrop Client versions prior to 0.17.5 Description Improper filename validation during gzip archive extraction allows a compromised SecureDrop Server to achieve code execution on the Client virtual machine sd-app. This occurs because the...

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

The fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass tableprefix straight into f-string SQL. Same root cause, same code pattern, same exploitation...

PT-2026-37121

Name of the Vulnerable Software and Affected Versions praisonai versions prior to 4.6.9 praisonaiagents versions prior to 1.6.9 Description Multiple backends in the multi-agent teams system fail to validate input, leading to arbitrary SQL execution. Specifically, nine backends—MySQL, PostgreSQL,...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: sqlite (UTSA-2026-007182)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007182 advisory. An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via...