CVE-2025-66564

Sigstore Timestamp Authority contains a vulnerability (CVE-2025-66564) where ParseJSONRequest and getContentType allocate O(n) bytes when handling untrusted input (an OID with many periods or a malformed Content-Type header). The issue is triggered by using strings.Split on untrusted data, leadin...

UBUNTU-CVE-2025-66506

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

CLSA-2025-1764868292 Fix CVE(s): CVE-2025-1094

SECURITY UPDATE: improper neutralization of quoting syntax in libpq functions allows SQL injection via psql in certain usage patterns - debian/patches/CVE-2025-1094.patch: Fix handling of invalidly encoded data in escaping functions - CVE-2025-1094...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the createVerify function when using HS256 HMAC algorithms and incorporating user-provided data from the JSON Web Signature Protected Header or Payload in HMAC secret lookup routines...

GHSA-869P-CJFG-CM3X auth0/node-jws Improperly Verifies HMAC Signature

Overview An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions. Am I Affected? You are affected by this vulnerability if you meet all of the following preconditions: 1. Application uses the auth0/node-jws implementatio...

CVE-2025-40262 Input: imx_sc_key - fix memory corruption on unload

In the Linux kernel, the following vulnerability has been resolved: Input: imxsckey - fix memory corruption on unload This is supposed to be "priv" but we accidentally pass "&priv" which is an address in the stack and so it will lead to memory corruption when the imxsckeyaction function is called...

Malicious Package

Overview beep-types is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview elf-stats-bright-cocoa-293 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview remark-mdx2.3 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Exploit for CVE-2025-55182

RSC Report Lab – CVE-2025-55182 React 19.2.0 Учебный стенд,...

OSV-2025-965 Stack-use-after-scope in Assimp::FBX::FBXExportProperty::FBXExportProperty

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=465494996 Crash type: Stack-use-after-scope READ 1 Crash state: Assimp::FBX::FBXExportProperty::FBXExportProperty Assimp::FBX::FBXExportProperty std::1::vectorAssimp::FBX::FBXExportProperty, Assimp::FBXExporter::WriteObjects...

Linux Distros Unpatched Vulnerability : CVE-2025-12744

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the ABRT daemon's handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them direct...

Python DoS Vulnerability (Dec 2025) - Linux

Python is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:python:python";...

CVE-2025-66453 Rhino vulnerable high CPU usage and potential DoS when passing specific numbers to toFixed() function

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed function, it might lead to high CPU consumption and a potential Denial of Service. Small...

PSF-2025-16

When building nested elements using xml.dom.minidom methods such as appendChild that have a dependency on clearidcache the algorithm is quadratic. Availability can be impacted when building excessively nested documents...

Rhino has high CPU usage and potential DoS when passing specific numbers to `toFixed()` function

When an application passed an attacker controlled float poing number into the toFixed function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo DToA.JSdtostr DToA.JSdtoa DToA.pow5mult where pow5mult attempts to...

BIT-ACTIVEMQ-2021-21347 XStream is vulnerable to an Arbitrary Code Execution attack

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who follow...

Malicious Package

Overview buffer-envjs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Fileless protection explained: Blocking the invisible threat others miss

Most antivirus software for personal users scans your computer for malware hiding in files. This is, after all, how most malware is traditionally spread. But what about attacks that never create files? Fileless malware is a fast-growing threat that evades traditional antivirus software, because...

CVE-2025-13837

A flaw was found in the plistlib module in the Python standard library. The amount of data to read from a Plist file is specified in the file itself. This issue allows a specially crafted Plist file to cause an application to allocate a large amount of memory, potentially resulting in allocations...