Astra Linux - уязвимость в libtomcrypt

In LibTomCrypt version 1.18.2, the derdecodeutf8string function located in derdecodeutf8string.c does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service such as out-of-bounds reads and crashes or to read information from other...

CVE-2026-42327

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocspresponders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref wraps the raw bytes with str::fromutf8unchecked. OpenSSL does not enforce th...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the toObject function when handling a schema-controlled bytes field default value. An attacker can execute arbitrary JavaScript code by providing a crafted descriptor with a malicious default value for a byte...

node-ral (=0.17.0), protobufjs (=6.1.0) +1 more potentially affected by CVE-2026-44293 via @protobufjs/utf8 (>=1.0.1 <=1.1.0)

@protobufjs/utf8 NPM version =1.0.1, =1.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @protobufjs/utf8 and may be impacted: - node-ral =0.17.0 - protobufjs =6.1.0 - protobufjs-mod =6.8.2 Source cves: CVE-2026-44293 Source advisory:...

CVE-2026-45130

Vim: Heap buffer overflow in read_compound() (src/spellfile.c) prior to 9.2.0450 when loading a crafted, UTF-8 spell file (.spl). An attacker-controlled length in the spell file’s compound section overflows a 32-bit signed multiplication, causing a small heap buffer to be allocated for a write lo...

Astra Linux - уязвимость в mongo-c-driver

When calling bsonutf8validate on certain inputs, it is possible for an infinite loop to occur, with no way to exit. This issue affects All MongoDB C Driver versions prior to version 1.25.0...

Amazon Linux 2 : clamav1.4, --advisory ALAS2-2026-3276 (ALAS-2026-3276)

The version of clamav1.4 installed on the remote host is prior to 1.4.4-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3276 advisory. A vulnerability in the HTML Cascading Style Sheets CSS module of ClamAV could allow an unauthenticated, remote attacker to cause ...

Medium: clamav1.4

Issue Overview: A vulnerability in the HTML Cascading Style Sheets CSS module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to improper error handling when splitting UTF-8 strings. An attacker...

JLSEC-2026-179

When calling bsonutf8validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0...

CVE-2026-35375

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes tostringlossy when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8...

CVE-2026-35375 uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes tostringlossy when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8...

CLSA-2026-1776416477 ImageMagick: Fix of CVE-2026-32636

CVE-2026-32636: fix out-of-bounds write in NewXMLTree/ConvertUTF16ToUTF8...

CVE-2026-40324 Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser Utf8GraphQLParser has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types...

CVE-2026-40324

Hot Chocolate (GraphQL server) contains a vulnerability in Utf8GraphQLParser: prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, the recursive descent parser has no recursion-depth limit, so deeply nested GraphQL documents (as small as ~40 KB) can trigger a StackOverflowException. This unca...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the Utf8GraphQLParser parser. An attacker can cause the application to terminate unexpectedly and disrupt all active services by submitting a crafted GraphQL document with deeply nested selection sets, object...

CVE-2026-20202

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability editusercould create a special...

Medium: rust

Issue Overview: A flaw in the gix-date library can generate invalid non-UTF8 strings, leading to undefined behavior when processed. The most likely impact from a successful attack is to data integrity, by the malicious data being able to corrupt data being hold in memory and to system availabilit...

PT-2026-32394

Name of the Vulnerable Software and Affected Versions MongoDB C Driver versions prior to 1.30.5 MongoDB C Driver version 2.0.0 MongoDB C Driver version 2.0.1 Description The bson validate function may return early on specific inputs and incorrectly report success. This behavior could result in...

PT-2026-31388

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of input parameters in the /web keyword.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request via the name, en, time, mem gb2312, and mem utf8 parameters...

CVE-2025-50665

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of input parameters in the /webkeyword.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request via the name, en, time, memgb2312, and memutf8 parameters...