162453 matches found
CVE-2026-41011
The CVE affects BOSH: all versions prior to v282.1.12 (inclusive). PackagePersister.validate_tgz constructs a tar command (tar -tf #{tgz}) using a name derived from release.MF without Shellwords.escape, and passes it to Bosh::Common::Exec.sh (via /bin/sh -c). The Models::Package validation runs a...
SUSE CVE-2026-37460
Missing input validation in the rfapiRibBi2Ri function rfapirib.c of FRRouting FRR stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service DoS via supplying a crafted BGP UPDATE message...
SUSE CVE-2026-43660
A validation issue was addressed with improved logic. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being...
SUSE CVE-2026-45283
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the fileslock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or...
crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation
A flaw was found in Go's crypto/x509 package. A remote attacker could exploit this by presenting a specially crafted certificate chain containing a large number of policy mappings. This inefficient validation process consumes excessive resources, which can lead to a denial of service DoS for...
MalTree: Tracing Malware Evolution from Embeddings at Scale
Malware detection remains largely reactive: machine learning models trained on known samples degrade as threats evolve. Understanding evolutionary relationships among malware families can inform proactive defense, but traditional reverse engineering can take months to years to uncover such lineag...
PT-2026-46295
Name of the Vulnerable Software and Affected Versions nvm versions prior to 0.40.5 Description Command injection occurs when the software executes arbitrary commands from version strings provided by a configured Node.js/io.js mirror. When commands like nvm install read available versions from the...
PT-2026-49153
Publisher note Fixed in v1.7.17. Operators running v1.7.17 should upgrade. The decompression-error path in MultiDataInterceptor.ProcessReceivedMessage now releases the global throttler slot before returning guarded defer after StartProcessing, disabled when the asynchronous goroutine takes...
PT-2026-46154
Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted...
PT-2026-46846
Impact So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions. First of all, the attacker mus...
PT-2026-46183
HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expecte...
PT-2026-46268
Name of the Vulnerable Software and Affected Versions Net::CIDR::Set versions prior to 0.21 Description Net::CIDR::Set for Perl fails to properly validate network masks. The mask portion may contain non-digits or Unicode digits, such as the Arabic-Indic One U+0661, which are ignored, potentially...
PT-2026-46879
Impact So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions. First of all, the attacker mus...
PT-2026-46226
Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description A URL validation flaw in the dashboard button widget allows a crafted relative-looking URL to be accepted as a local path while browsers interpret it as an external URL. The validation process...
PT-2026-46227
Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An open redirect occurs in the routeafterlogin function of the UsersController because the value stored in the pre login requested url session key is used as the post-login redirect destination...
PT-2026-46164
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service...
Devolutions Server < 2026.1.20 Multiple Vulnerabilities (DEVO-2026-0014)
The version of Devolutions Server installed on the remote host is prior to 2026.1.20. It is, therefore, affected by multiple vulnerabilities, including: - Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without...
RockyLinux 9 : flatpak (RLSA-2026:21755)
The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:21755 advisory. flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options CVE-2026-34078 flatpak: Flatpak: Arbitrary file deletion on ho...
Kibana 8.x < 8.19.16 / 9.0.x < 9.3.5 / 9.4.x < 9.4.2 Multiple Vulnerabilities (ESA-2026-35 / ESA-2026-38)
The version of Kibana installed on the remote host is prior to 8.19.16, 9.3.5, or 9.4.2. It is, therefore, affected by multiple vulnerabilities as referenced in the ESA-2026-35 and ESA-2026-38 advisories. - Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via...
PT-2026-46236
Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description A logic error in the CRUD component delete handler allows validation failures to be bypassed when using the HTTP DELETE method. This occurs because missing parentheses in the delete condition...