CVE-2026-33257 Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

Malicious Package

Overview trackora-node is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview claudcode-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @bitunix/test is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview aventypes is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

CVE-2026-41146 facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fiojsonparse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning a...

uutils coreutils 安全漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils. There is a security vulnerability in uutils coreutils. This vulnerability arises from the process of creating device nodes using mknod and setting SELinux contexts. As a result, nodes with incorrect markings may b...

PT-2026-34355

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the ext4 file system where the ext4 inode attach jinode function publishes ei-jinode to concurrent users before jbd2 journal init jbd inode is completed. This allows a...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013864)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013864 advisory. In the Linux kernel, the following vulnerability has been resolved: coresight: syscfg: Fix memleak on registration failure in cscfgcreatedevice deviceregister calls...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013807)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013807 advisory. In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifscopyfilerange If the file is used by swap, before return -EOPNOTSUPP,...

facil.io 资源管理错误漏洞

facil.io is a C-language high-performance web application microframework developed by Bo’s individual developer. Facil.io has a resource management vulnerability; this vulnerability arises when fiojsonparse enters an infinite loop upon encountering nested JSON values that start with “i” or “I”,...

Security update for python-PyPDF2 (moderate)

openSUSE security update: security update for python-pypdf2 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20598-1 Rating: moderate References: bsc1262284 Cross-References: CVE-2026-40260 Affected Products: openSUSE Leap 16.0...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013490)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013490 advisory. In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy for BIOS version The strlcat with FORTIFY support is triggering a panic...

Embedded Malicious Code

Overview kube-health-tools is a Lightweight Kubernetes node health diagnostics Affected versions of this package are vulnerable to Embedded Malicious Code that target Kubernetes environments by install a full LLM proxy service on the victim's machine, allowing the attacker to route LLM traffic...

CVE-2026-6797

Sanluan PublicCMS (up to 6.202506.d) contains a vulnerability in ZipSecureFile.setMinflateRatio within common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Manipulating this function can cause resource consumption and can be triggered remotely, leading to potential denial of servi...

glibc: Fix of 3 CVEs

CVE-2018-6485: fix integer overflows in memalign and malloc - CVE-2018-1000001: fix realpath buffer underflow via getcwd - CVE-2018-19591: fix ifnametoindex descriptor leak...

CLSA-2026-1776791328 nginx: Fix of 5 CVEs

CVE-2017-7529: fix integer overflow in range filter - CVE-2018-16843: fix excessive memory consumption in HTTP/2 - CVE-2018-16844: fix excessive CPU usage in HTTP/2 - CVE-2019-9511: fix excessive memory growth via HTTP/2 DATA frame manipulation - CVE-2019-9513: fix excessive CPU usage via HTTP/2...

BIT-AIRFLOW-2026-30898 Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf

An example of BashOperator in Airflow documentation suggested a way of passing dagrun.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advi...

USN-8191-1: Apache Commons IO vulnerability

It was discovered that Apache Commons IO's XmlStreamReader class could excessively consume CPU resources under certain circumstances. An attacker could possibly use this issue to cause Apache Commons IO to crash, resulting in a denial of service...

Android 17 ends all-or-nothing access to your contacts

Some of the apps on your phone want your contacts. Most don't need them all, but have been happily slurping up the lot for years. Google has decided to do something about that with the next version of Android. Android 17 currently in preview is introducing a new Contact Picker that lets users gra...