Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in Axios

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in Axios. CVE-2025-62718 The vulnerability have been addressed. Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.j...

Astra Linux - уязвимость в flatpak

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak applications that had direct access to AFUNIX sockets—such as those used by Wayland, Pipewire, or pipewire-pulse—could trick portals and other host-...

Astra Linux - уязвимость в symfony

symfony/validator is a module for the Symphony PHP framework that provides tools for validating values. It’s possible to trick a Validator configured with a regular expression using the $ metacharacter, especially when the input ends with \n. Starting from versions 5.4.43, 6.4.11, and 7.1.4,...

Astra Linux - уязвимость в freerdp2

FreeRDP is a free remote desktop protocol library and client. All FreeRDP-based clients that use the /video command-line switch may read uninitialized data, interpret it as audio/video, and display the result. Server implementations based on FreeRDP are not affected by this issue. This issue has...

Astra Linux - уязвимость в node-babel

Babel is a compiler for writing JavaScript code. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4, as well as all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, especially...

Astra Linux - уязвимость в tomcat9

A flaw in Apache Tomcat allows improper neutralization of escape, meta, or control sequences. Tomcat does not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, an attacker could use a...

Astra Linux - уязвимость в tomcat9

DoS attack due to a vulnerability related to incomplete cleanup in Apache Tomcat. WebSocket clients were able to keep WebSocket connections open, leading to increased resource consumption. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18,...

Astra Linux - уязвимость в tomcat9

There is a vulnerability in Apache Tomcat known as “Allocation of Resources Without Limits or Throttling”. This issue affects Apache Tomcat versions ranging from 11.0.0-M1 to 11.0.21, from 10.1.0-M1 to 10.1.54, and from 9.0.0.M1 to 9.0.117. Older, unsupported versions may also be affected. It is...

Astra Linux - уязвимость в libxstream-java

XStream is a simple library for serializing objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service—only by manipulating the processed input stream when XStream is configured to use th...

Astra Linux - уязвимость в composer

Composer is a dependency manager for PHP. The URLs for Mercurial repositories in the composer.json file at the root level, as well as the source download URLs, are not sanified correctly. Specifically crafted URL values allow code to be executed via the HgDriver if hg/Mercurial is installed on th...

PT-2026-42206

Impact On April 29, 2026, compromised versions of @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected] were published. The malicious packages harvested credentials and attempted self-propagation. If a compromised version was installed, all credentials accessible on that...

CVE-2026-6365 Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal core allows Cross-Site Scripting XSS. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7...

CVE-2026-47323 Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering

Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http only...

CVE-2026-31909

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

EUVD-2026-30868

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build

A security vulnerability in the Vaadin Maven plugin and Vaadin Gradle plugin exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. See CWE-209 Generation of Error Message Containing Sensitive Information Description A possibl...

PT-2026-41959

Name of the Vulnerable Software and Affected Versions go-git versions prior to v5 Description A path validation issue allows crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. This occurs because the software drifted from...

Angular template injection in Reports in Guardian/CMC before 26.1.0

Summary An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. Impact An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially...

Out-of-bounds Write

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

Out-of-bounds Write

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...