CVE-2026-48515 MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T,, T,,, or T,,, before validating that the dimension product matches the encoded element count. T...

crypto/x509: Incorrect enforcement of email constraints in crypto/x509

A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly...

crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application

A flaw was found in the crypto/x509 package within Go golang. When verifying a certificate chain, excluded DNS Domain Name System constraints are not correctly applied to wildcard DNS Subject Alternative Names SANs if the case of the SAN differs from the constraint. This oversight could allow an...

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption

A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security TLS session resumption when certificate authority CA settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing ...

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

Important: Red Hat Security Advisory: Red Hat OpenStack Platform 17.1 (etcd) security update

An update for etcd is now available for Red Hat OpenStack Platform 17.1 Wallaby. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

CVE-2026-54911

CVE-2026-54911 (UltraJSON) : The vulnerability affects UltraJSON (C core with Python bindings) where ujson.dumps()/dump()/encode() with reject_bytes=False may accept malformed or truncated UTF-8, silently rewriting to other Unicode characters instead of rejecting. This enables input validation by...

crypto/x509: Incorrect enforcement of email constraints in crypto/x509

A certificate validation flaw has been discovered in the golang crypto/x509 module. When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly...

CVE-2026-47242 Net::IMAP: Command Injection via ID command argument

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to 0.6.5 and 0.5.15, when Net::IMAPid is called with a hash argument, although the ID field value strings are correctly quoted escaping quoted specials, they were not validated to prohibit CRLF sequence...

CVE-2026-47242

Net::IMAP (Ruby) CVE-2026-47242 affects versions before 0.6.5 and 0.5.15. The vulnerability arises because Net::IMAP#id (with a hash argument) and Net::IMAP#enable do not properly validate arguments, allowing CRLF or atom-list injections and causing the #to_s value to be sent verbatim. An attacke...

CVE-2026-47241 Net::IMAP: Denial of Service via incomplete raw argument validation

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled inpu...

CVE-2026-55599

phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature reads a URL out of that certificate's Authority Information Access AIA extension and connects to it...

CVE-2026-55599

phpseclib (versions 0.1.1 through 1.0.30, 2.0.55, and 3.0.54) vulnerability: X509::validateSignature() reads a URL from the certificate's Authority Information Access extension and connects to it, enabling an attacker supplying a cert to fully control the outbound connection (host, port, path). T...

CVE-2026-55599 phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access

phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature reads a URL out of that certificate's Authority Information Access AIA extension and connects to it...

CVE-2026-55599

phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature reads a URL out of that certificate's Authority Information Access AIA extension and connects to it...

CVE-2026-56405

A flaw was found in libexpat. An integer overflow vulnerability exists within the getAttributeId function. This flaw could allow an attacker to potentially disclose sensitive information or execute arbitrary code, leading to a compromise of the system's integrity and confidentiality. Mitigation T...

CVE-2026-53540

Python-Multipart vulnerability CVE-2026-53540 affects the parse_form function in versions prior to 0.0.31. A negative Content-Length could cause a bounded read to become unbounded, loading the entire request body into memory and potentially exhausting memory. The issue is fixed in 0.0.31; remedia...

EUVD-2024-36468

OpenCTI May Bypass Introspection Restriction...

CVE-2026-8823

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669...