Vite dev server - Cross-Site Scripting

Vite's dev server, when used with appType: 'custom' and manually invoking server.transformIndexHtml using the unmodified request URL, is vulnerable to XSS via a crafted URL payload. If the HTML being served includes an inline module script ..., an attacker can inject a script via the URL,...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Node.js

Summary There are multiple vulnerabilities in Node.js used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2026-44664 DESCRIPTION: fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Node.js

Summary There are multiple vulnerabilities in Node.js used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2026-41238 DESCRIPTION: DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype...

kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel

A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. Unsafe in-place cryptographic processing allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, including sensitive system files. An attacker can exploit this to overwrite privileged...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: drm/amd/display: Fixed a potential index out of bounds issue in the color transformation function. The issue of index out of bounds occurred when the index ‘i’ exceeded the number of transfer function points TRANSFERFUNCPOINTS...

Security Bulletin: IBM Sterling Transformation Extender is affected by multiple IBM Semeru Java 17 vulnerabilities

Summary IBM Sterling Transformation Extender uses IBM Semeru Runtime Certified Edition, Version 17 and is affected by multiple vulnerabilities Vulnerability Details CVEID:CVE-2026-1188 DESCRIPTION: In the Eclipse OMR port library component since release 0.2.0, an API function to return the textua...

kernel: "Dirty Frag" ESP XFRM variant is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel

A flaw was found in the Linux kernel's xfrm-ESP and RxRPC subsystems. Unsafe in-place cryptographic processing of shared socket buffer fragments allows a low-privileged local attacker to corrupt page-cache contents of readable files, including sensitive system files, and gain root privileges. The...

SUSE-SU-2026:21622-1 Security update for the Linux Kernel

The SUSE Linux Enterprise Micro 6.0 and Micro 6.1 RT kernel was updated to fix the following issues: - CVE-2026-43284: xfrm: esp: avoid in-place decrypt on shared skb frags bsc1264449. - CVE-2026-43500: rxrpc: unshare DATA/RESPONSE packets when paged frags are present bsc1264450...

Ubuntu 16.04 LTS / 18.04 LTS : HtmlUnit vulnerability (USN-8220-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8220-1 advisory. It was discovered that HtmlUnit was vulnerable to remote code execution via XSLT when browsing an attacker-controlled webpage. An attacker could...

Benchmarking Large Language Models for IoC Recovery under Adversarial Code Obfuscation and Encryption

Software obfuscation and encryption present persistent challenges for program comprehension and security analysis, particularly when adversaries conceal Indicators of Compromise IoCs such as IP addresses within source code. While Large Language Models LLMs have recently demonstrated remarkable...

SUSE-SU-2026:21563-1 Security update for the Linux Kernel (Live Patch 2 for SUSE Linux Enterprise 16)

This update for the SUSE Linux Enterprise Kernel 6.12.0-160000.7.1 fixes various security issues The following security issues were fixed: - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI bsc1252048. - CVE-2025-71066: net/sched: ets: Always remove class from active list before...

PT-2026-38055

A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of...

Security Bulletin: IBM Sterling Transformation Extender is affected by multiple IBM Java 8 vulnerabilities

Summary IBM Sterling Transformation Extender uses IBM SDK, Java Technology Edition, Version 8 and is affected by multiple vulnerabilities CVE-2026-22016, CVE-2026-22021, CVE-2026-22013, CVE-2026-22018, CVE-2026-34268 and CVE-2026-22007. Vulnerability Details CVEID:CVE-2026-22016 DESCRIPTION: Easi...

Astra Linux - уязвимость в linux-5.10, linux-5.15, linux

A race condition was detected in the Linux kernel’s IP framework for transforming packets XFRM subsystem, where multiple calls to xfrmprobealgs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an...

Astra Linux - уязвимость в thunderbird, firefox

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9...

Astra Linux - уязвимость в libxslt

A use-after-free vulnerability was discovered in libxslt while parsing XSL nodes, which may lead to the dereferencing of expired pointers and cause the application to crash...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: drm/amd/display: Fixed an issue where an index out of bounds occurred in the DCN30 color transformation. This commit addresses a potential index out of bounds issue in the cm3helpertranslatecurvetoHWformat function within the...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Java, JavaScript and IBM WebSphere Application Server Liberty

Summary There are multiple vulnerabilities in Java, JavaScript and IBM WebSphere Application Server Liberty used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2026-33151 DESCRIPTION: Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prio...

GitPython: Unsafe option check validates multi_options before shlex.split transformation

Summary clone validates multioptions as the original list, then executes shlex.split" ".joinmultioptions. A string like "--branch main --config core.hooksPath=/x" passes validation starts with --branch, but after split becomes "--branch", "main", "--config", "core.hooksPath=/x". Git applies the...

Ghost in the Agent: Redefining Information Flow Tracking for LLM Agents

Autonomous Large Language Model LLM agents are increasingly deployed to conduct complex tasks by interacting with external tools, APIs, and memory stores. However, processing untrusted external data exposes these agents to severe security threats, such as indirect prompt injection and unauthorize...