CVE-2026-41309

Open Source Social Network OSSN is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions e.g., $10000 \times 10000$ pixels. While the compressed file size...

SUSE CVE-2026-6843

A flaw was found in nano. A local user could exploit a format string vulnerability in the statusline function. By creating a directory with a name containing printf specifiers, the application attempts to display this name, leading to a segmentation fault SEGV. This results in a Denial of Service...

SUSE CVE-2026-41988

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue...

EUVD-2026-25305

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balanceserve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads without validation. Attackers can...

PT-2026-34840

Open Source Social Network OSSN is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions e.g., $10000 times 10000$ pixels. While the compressed file size ...

qemu-kvm security update

7.2.0-37.el9 - hashing: use mmap/munmap for isal functions Elena Ufimtseva Orabug: 39165991 - multifd: replace allocations/free with mmap/munmap Elena Ufimtseva Orabug: 39165991 - pagecache: use mmap based data pool for cache items Elena Ufimtseva Orabug: 39165991 - pagecache: change cache...

PT-2026-34911

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix missing NULL checks for kstrdup 1. Replace "of find node by path"/"" with "of root" to avoid multiple calls to "of node put". 2. Fix a potential kernel oops during early boot when memory allocation fails while...

kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsitdecsessionusagecount In iscsitdecsessionusagecount, the function calls complete while holding the sess-sessionusagelock. Similar to the connection usage count logic, the waiter...

crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation

A flaw was found in Go's crypto/x509 package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service DoS for...

CVE-2026-41138

Summary (CVE-2026-41138): Flowise Flowise 3.x contains a remote code execution vulnerability in the Airtable_Agent path (AirtableAgent.ts) due to lack of input verification when using Pandas. User input is injected into the prompt’s question parameter and reflected into Python code without saniti...

CVE-2026-41138

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within...

CVE-2026-41173

OpenTelemetry.Sampler.AWS is affected by an unbounded HTTP response body read in the AWS X-Ray remote sampler prior to 0.1.0-alpha.8. The AWSXRaySamplerClient.DoRequestAsync call reads the entire HTTP response into memory (ReadAsStringAsync) without size limits, enabling an attacker controlling o...

CVE-2026-40894

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators...

WordPress BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin <= 4.3.11 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usage vulnerability

Missing Authorization to Authenticated Subscriber+ Unauthorized AI API Usage vulnerability discovered by h0xilo in WordPress Plugin BetterDocs versions = 4.3.11...

Malicious Package

Overview chai-as-optimized is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

bare-metal is deprecated

The bare-metal crate has been deprecated and archived. For Mutex and CriticalSection, see the critical-section crate instead...

RUSTSEC-2026-0108 `sui-execution-cut` was removed from crates.io for malicious code

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

Exploit for Improper Ownership Management in Debian Debian_Linux

HTB-TwoMillion-Writeup HackTheBox TwoMillion machine writeup —...

Malicious Package

Overview json-dec is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview changelog-cli-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...