Amazon Linux 2023 : soci-snapshotter (ALAS2023-2026-1740)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1740 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

Amazon Linux 2023 : oci-add-hooks (ALAS2023-2026-1739)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1739 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

Amazon Linux 2023 : nerdctl (ALAS2023-2026-1735)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1735 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

Important: docker

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

Important: docker

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

Important: oci-add-hooks

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

Important: runc

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

Important: docker

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

Important: amazon-ecr-credential-helper

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

SUSE-SU-2026:21804-1 Security update for go1.26

This update for go1.26 fixes the following issues Security issues: - CVE-2026-33811: net: crash when handling long CNAME response bsc1264508. - CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1264506. - CVE-2026-39817: cmd/go: "go tool pack" does...

www/gohugo -- CWE-79: XSS vulnerabilities

https://go.dev/issue/78913 reports: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to...

BIT-GOLANG-2026-32289 JsBraceDepth Context Tracking Bugs (XSS) in html/template

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being...

SUSE-SU-2026:0976-1 Security update for go1.26-openssl

This update for go1.26-openssl fixes the following issues: Update to go 1.26.1 bsc1255111, jscSLE-18320: - CVE-2026-25679: net/url: reject IPv6 literal not at start of host bsc1259264. - CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints bsc1259266. - CVE-2026-27138:...

Security update for go1.26

This update for go1.26 fixes the following issues: Update to go1.26.1 bsc1255111: CVE-2026-25679: net/url: reject IPv6 literal not at start of host bsc1259264. CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints bsc1259266. CVE-2026-27138: crypto/x509: panic in name constraint...

Gogs: Stored XSS in branch and wiki views through author and committer names

Summary Stored XSS is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data URLs. Details safe still turns off escaping: - internal/template/template.go - func saferaw string template.HTML return template.HTMLraw Branch pages...

GHSA-R294-2894-92J3 OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering

Summary The exported session HTML viewer allowed stored XSS when untrusted session content included raw HTML markdown tokens or unescaped metadata fields. Impact Opening a crafted exported HTML session could execute attacker-controlled JavaScript in the viewer context. This can expose session...

ALSA-2026:3428 Important: container-tools:rhel8 security update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: html/template: errors returned from MarshalJSON methods may break template escaping CVE-2024-24785 crypto/x509: golang: Denial of Service due to excessive...

Important: container-tools:rhel8 security update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: html/template: errors returned from MarshalJSON methods may break template escaping CVE-2024-24785 crypto/x509: golang: Denial of Service due to excessive...

MiracleLinux 9 : toolbox-0.0.99.5-5.el9 (AXSA:2024-9104:02)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-9104:02 advisory. golang: net/http: golang: mime/multipart: golang: net/textproto: memory exhaustion in Request.ParseMultipartForm CVE-2023-45290 golang: html/templat...

MiracleLinux 9 : delve-1.21.2-2.el9, golang-1.21.9-2.el9 (AXSA:2024-7759:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7759:01 advisory. golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads CVE-2024-1394 golang: net/http: memory exhaustion in...