PT-2026-38272

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1 Description The SimplePdo::insert, SimplePdo::update, and SimplePdo::delete functions build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query without...

CVE-2026-32936

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS DoH GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a...

Server-side Request Forgery (SSRF)

Overview requests-hardened is an A library that overrides the default behaviors of the requests library, and adds new security features. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the URL filtering process. An attacker can access internal services and...

EUVD-2026-27442

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS DoH GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a...

CVE-2026-32936 CoreDNS DoH GET path missing size validation causes CPU and memory amplification

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS DoH GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a...

Malicious Package

Overview internal-auth-provider is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

Malicious Package

Overview @corp-infra/sso-gateway-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview enterprise-auth-gateway-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview @tech-global/internal-gateway-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

Malicious Package

Overview gweb-build-system is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview bpmn-studio is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

CVE-2026-7865 Hidden Console Command

A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH...

kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsitdecsessionusagecount In iscsitdecsessionusagecount, the function calls complete while holding the sess-sessionusagelock. Similar to the connection usage count logic, the waiter...

CLSA-2026-1777976700 dovecot: Fix of CVE-2026-27857

CVE-2026-27857: limit the number of open IMAP parser lists in imap-login to prevent excessive memory usage from deeply nested parentheses e.g. NOOP...

kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsitdecsessionusagecount In iscsitdecsessionusagecount, the function calls complete while holding the sess-sessionusagelock. Similar to the connection usage count logic, the waiter...

kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsitdecsessionusagecount In iscsitdecsessionusagecount, the function calls complete while holding the sess-sessionusagelock. Similar to the connection usage count logic, the waiter...

CVE-2026-43870

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting', Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift:...

CVE-2026-43870 Apache Thrift: Node.js web_server.js multi-vulnerability

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting', Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift:...

CLSA-2026-1777947165 Fix CVE(s): CVE-2026-35414

SECURITY UPDATE: authorizedkeys principals="" option mismatches certificate principals containing comma characters. - debian/patches/CVE-2026-35414.patch: rewrite matchprincipalsoption to split principallist with strsep and compare with strcmp. - CVE-2026-35414...

SUSE CVE-2026-43028

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: ensure names are nul-terminated Reject names that lack a \0 character before feeding them to functions that expect c-strings. Fixes tag is the most recent commit that needs this change...