EUVD-2026-39577

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import...

CVE-2026-12992

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import...

PT-2026-52594

Name of the Vulnerable Software and Affected Versions Apicurio Registry affected versions not specified Description A flaw exists where the WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, a user with...

CVE-2026-56242

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

CVE-2026-56242

Technical details beyond the provided description are not publicly available in the supplied documents. Monitor for updates for vulnerability specifics, affected versions, impact, and remediations.

PT-2026-51221

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An unauthenticated security definer RPC function get identity apikey only returns the owning user id for supplied API keys. This creates an API key validity oracle—a mechanism that allows an attacke...

Astra Linux – Vulnerability in Firefox, Thunderbird

Through the use of reportValidity and window.open, a plain-text validation message could be displayed on another origin, potentially causing confusion for users and allowing for spoofing attacks. This vulnerability affects Firefox 93, Thunderbird 91.2, and Firefox ESR 91.2...

Astra Linux – Vulnerability in Firefox, Thunderbird

By displaying a form validation message in the correct location at the same time as a permission prompt such as for geolocation, the validation message could potentially obscure the prompt, allowing the user to be tricked into granting the permission. This vulnerability affects Firefox 94,...

Astra Linux – Vulnerability in freerdp2

FreeRDP is a free implementation of the Remote Desktop Protocol RDP. Prior to version 2.7.0, server-side authentication against a SAM file might succeed with invalid credentials if the server had configured an invalid SAM file path. Clients based on FreeRDP are not affected by this issue. However...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: KVM: s390 – Fixed an issue with validity checks when gisa is disabled. This issue occurs when gisa is disabled either by using the kernel parameter “kvm.usegisa=0” or by setting the related sysfs attribute to N e.g., echo N...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fixed a slab-out-of-bounds read in hdrdeletede. Here is a bug report from syzbot: Bug: KASAN: Slab-out-of-bounds in hdrdeletede+0xe0/0x150, fs/ntfs3/index.c:806. A read of size 16842960 was performed at address...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: pinctrl: nuvoton: wpcm450: fix an out-of-bounds write issue. The write operation to ‘pctrl-gpiobank’ occurs before the check for the validity of the GPIO index, which may lead to an out-of-bounds write. This issue was detected by...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: serial: max310x: Fixed a NULL pointer dereferencing issue during I2C instantiation. When attempting to instantiate a max14830 device from userspace: echo max14830 0x60 /sys/bus/i2c/devices/i2c-2/newdevice we encounter the followi...

CVE-2026-5943

Document structural anomalies caused inconsistencies between page element relationships and internal index states. When scripts triggered document modifications, object reference validity was not properly maintained, leading to a crash when accessing an invalid pointer during page information...

CVE-2026-40585

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a passwordresetat timestamp. However, the token redemption function findUserIDFromEmailAndToken queries only for a matching...

ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()

...

CVE-2026-42791

Summary: CVE-2026-42791 is an improper certificate validation weakness in Erlang OTP’s public_key/pubkey_ocsp module. OCSP response verification (pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3) fails to enforce the validity period (notBefore/notAfter) of the OCSP responde...

EEF-CVE-2026-42791 OCSP responder certificate validity period not checked in public_key

Summary Improper Certificate Validation vulnerability in Erlang OTP publickey pubkeyocsp module allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP response verification in pubkeyocsp:verifyresponse/5 and pubkeyocsp:isauthorizedresponder/3 in...

CVE-2026-45892 ext4: drop extent cache after doing PARTIAL_VALID1 zeroout

In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIALVALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4splitextent with the EXT4EXTMAYZEROOUT and EXT4EXTDATAVALID2 flags set, it could...

CVE-2026-45858

In the Linux kernel, the following vulnerability has been resolved: ext4: don't zero the entire extent if EXT4EXTDATAPARTIALVALID1 When allocating initialized blocks from a large unwritten extent, or when splitting an unwritten extent during end I/O and converting it to initialized, there is...