CVE-2026-55960

Un-negotiated Raw Public Key RFC 7250 accepted in place of an X.509 certificate, bypassing chain validation. A raw public key has no chain, so ParseCertRelative accepts it without performing any trust verification; it must therefore only be accepted when RPK was actually negotiated for that peer...

Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository

Summary mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/, .mise/tasks/, … but no config file, mise falls back to the default includes and...

CVE-2026-35533

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted a...

EUVD-2026-23295

Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causin...

EUVD-2025-25419

Malicious code in bioql PyPI...

CVE-2025-7390

A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication...

GO-2024-2933 Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij

Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij...

CVE-2024-5899 Improper trust check in Bazel Build intellij plugin

When Bazel Plugin in intellij imports a project either using "import project" or "Auto import" the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance.createProject. This...

SUSE CVE-2022-26305

An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the...

Fedora 15 : PackageKit-0.6.15-2.fc15 (2011-8943)

Upstream yum recently changed the behaviour when checking signatures on a package. The commit added a new configuration key which only affects local packages, but the key was set by default to False. - This meant that an end user could install a local unsigned rpm package using PackageKit without...