CLSA-2026-1779203719 php: Fix of 6 CVEs

CVE-2026-6722: fix stale SOAPGLOBAL refmap pointer with Apache Map GHSA-85c2-q967-79q5 - CVE-2026-7262: fix broken Apache map value NULL check in soap encoder GHSA-hmxp-6pc4-f3vv - CVE-2026-7568: fix signed integer overflow of char array offset in metaphone GHSA-96wq-48vp-hh57 - CVE-2026-7261:...

CVE-2026-43861

mutt before 2.3.2 does not check for '\0' in urlpctdecode...

UBUNTU-CVE-2026-43861

mutt before 2.3.2 does not check for '\0' in urlpctdecode...

CVE-2026-43861

mutt before 2.3.2 does not check for '\0' in urlpctdecode...

CVE-2026-43861

mutt before 2.3.2 does not check for '\0' in urlpctdecode...

EUVD-2026-11749

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

CVE-2026-22204

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

PT-2026-25144

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment author email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wp mail...

CVE-2026-29045

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...

CVE-2025-63153

TOTOLink A7000R V9.1.0u.6115B20201022 was discovered to contain a stack overflow in the ssid parameter of the urldecode function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted request...

PT-2025-44657

Name of the Vulnerable Software and Affected Versions Totolink A7000R version 9.1.0u.6115 B20201022 Description The software contains a stack overflow issue through the ssid5g parameter within the urldecode function. A crafted request can lead to a Denial of Service DoS. Recommendations At the...

EUVD-2021-9142

Malicious code in bioql PyPI...

CVE-2025-23039 Cross Site Scripting on URL decode Tooltip in Caido

Caido is a web security auditing toolkit. A Cross-Site Scripting XSS vulnerability was identified in Caido v0.45.0 due to improper sanitization in the URL decoding tooltip of HTTP request and response editors. This issue could allow an attacker to execute arbitrary scripts, potentially leading to...

Cookie Injection

react/http is vulnerable to cookie injection. The vulnerability exists due to a lack of sanitization in the decode function in urldecode in Message/ServerRequest.php allowing an attacker to counterfeit cookies...

Amazon Linux 2022 : php, php-bcmath, php-cli (ALAS2022-2022-073)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-073 advisory. A flaw was found in php. The main cause of this vulnerability is improper input validation while parsing an Extensible Markup LanguageXML entity. A special character could allow an attacker to...

EulerOS 2.0 SP3 : php (EulerOS-SA-2022-1755)

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexmlloadfile, URL-decode th...

Debian DSA-5082-1 : php7.4 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5082 advisory. Two security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure or denial of...

DEBIAN-CVE-2021-21707

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexmlloadfile, URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the...

CVE-2021-21707

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexmlloadfile, URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the...

SUSE: Security Advisory (SUSE-SU-2013:1166-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...