ROS-20260417-73-0018

A vulnerability in the Python library for handling PyPDF PDF files involves uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

SUSE SLES12 Security Update : python-urllib3 (SUSE-SU-2026:1412-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1412-1 advisory. Security issues: - CVE-2025-66418: resource exhaustion via unbounded number of links in the decompression chain bsc1254866. -...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007554)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007554 advisory. In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsppipelinebuild dsppipelinebuild allocates dup pointer by kstrdupcfg,...

[SECURITY] Fedora 44 Update: plasma-pa-6.6.4-1.fc44

Plasma applet for audio volume management using PulseAudio...

[SECURITY] Fedora 44 Update: plasma-activities-stats-6.6.4-1.fc44

Library to access the usage statistics data collected by the KDE activity man ager...

SUSE CVE-2026-40959

Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod...

Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Summary A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and...

CVE-2026-41113

CVE-2026-41113 affects sagredo qmail prior to 2026.04.07. Root cause: qmail-remote.c uses popen in notlshosts_auto, enabling remote code execution (tls_quit) over the network. Impact: high on confidentiality, integrity, and availability; attack vector is network with no privileges and no user int...

Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)

Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper httpSecurity.ts that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axiosInstead of using the secured...

GHSA-QQVM-66Q4-VF5C Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)

Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper httpSecurity.ts that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axiosInstead of using the secured...

MAL-2026-2914 Malicious code in modern-events (npm)

modern-events is a malicious npm package that when imported and using the function EventEmitter.emit... in file events.js exfiltrates local system information via telegram and slack and downloads a backdoor Win64/FaxedCook to C:/ProgramData/Policy/PublisherPolicy.tms. --- -= Per source details. D...

Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

In this article 1. Sapphire Sleet’s campaign lifecycle 2. Defending against Sapphire Sleet intrusion activity 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise Executive summary Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Kore...

FreeRDP: FreeRDP: Denial of Service via specially crafted Remote Desktop Protocol messages

A flaw was found in FreeRDP, a free implementation of the Remote Desktop Protocol RDP. A remote attacker could exploit this vulnerability by sending a specially crafted RDP message. This can lead to an undefined behavior where a wrapped value is used as a shift exponent, causing an approximately ...

SUSE-SU-2026:21208-1 Security update for dovecot24

This update for dovecot24 fixes the following issues: - Update to v2.4.3 - CVE-2025-59028: Invalid base64 authentication can cause DoS for other logins bsc1260894. - CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing bsc1260895. -...

Memory Limit Bypass

LiquidJS is vulnerable to Memory Limit Bypass. The vulnerability is due to the replace filter incorrectly accounting for memory usage when the memoryLimit option is enabled, where an attacker who controls template content can bypass the memoryLimit DoS protection with approximately 2,500x...

PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code

Summary The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in PluginSecurity.validateplugincode is incomplete and can be bypassed using several Python constructs that are not checked. An...

SUSE SLES12 Security Update : util-linux (SUSE-SU-2026:1370-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:1370-1 advisory. - CVE-2026-3184: Fix full hostname usage for PAM to ensure correct access control for 'login -h' bsc1258859. Tenable has extracted the preceding...

PT-2026-33284

A Critical Remote Elevation of Privilege vulnerability CVE-2026-32179 affects MsQuic. Organizations should identify usage and monitor for updates. MsQuic ElevationOfPrivilege infosec https://t.co/NfNpj6XuC3...

Google Chrome on Windows Uninitialized Usage Vulnerability

Google Chrome is a web browser from Google, an American company. An uninitialized use vulnerability exists in Google Chrome on Windows, which can be exploited by an attacker to perform a sandbox escape via a specially crafted HTML page...

Arbitrary Code Injection

Overview upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the MCP server task creation functionality. An attacker can execute arbitrary operating system commands with the...