Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via unsanitized header or query parameter match values in the HTTPRoute resource. An attacker can bypass listener hostname constraints and...

SUSE CVE-2026-1229

The CombinedMult function in the CIRCL ecc/p384 package secp384r1 curve produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3...

EUVD-2026-11201

Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values...

`Authorization::value` and `WwwAuthenticate::value` can violate ASCII invariants

Authorization::value uses HeaderValue::value with the claim that the internal string is ASCII, but Authorization::new and Authorization::setcredentials accept arbitrary String credentials without validation. As a result, safe code can construct a header value containing non-ASCII UTF-8 while the...

CVE-2026-3231

The CVE-2026-3231 entry concerns the WooCommerce plugin Checkout Field Editor (Checkout Manager) for WordPress, vulnerable to Stored Cross-Site Scripting via custom radio/checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to 2.1.7. The root ca...

EUVD-2026-10922

Sylius has a DQL Injection via API Order Filters...

CVE-2026-31838 Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests...

CVE-2026-31838

CVE-2026-31838 describes a vulnerability in Istio where an Envoy RBAC header matching could bypass authorization when policies rely on HTTP headers with multiple values. Affected are Istio deployments using Envoy before versions 1.29.1, 1.28.5, or 1.27.8. An attacker could craft requests with mul...

CVE-2026-30962 Parse Server has a protected fields bypass via logical query operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

CVE-2026-26308

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating eac...

CVE-2026-30987

The CVE affects iccDEV libraries, where a stack buffer overflow in CIccTagNum::GetValues() can cause stack memory corruption or a crash. Root cause is a vulnerable implementation in GetValues(), with impact to confidentiality, integrity, and availability as per CVSS 3.1 (High/High/High). The issu...

CVE-2026-30987 iccDEV has a stack buffer overflow in CIccTagNum<(icTagTypeSignature)>::GetValues()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in CIccTagNum::GetValues causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5...

CVE-2026-30987 iccDEV has a stack buffer overflow in CIccTagNum<(icTagTypeSignature)>::GetValues()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in CIccTagNum::GetValues causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5...

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. CVE-2025-69224: Fixed unicode processing of header values could cause...

SUSE-SU-2026:0859-1 Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: - CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. - CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. - CVE-2025-69224: Fixed unicode processing of header values could...

CVE-2025-41759

An administrator may attempt to block all networks by specifying "\" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all...

EUVD-2026-10705

Webauthn Framework: allowedorigins collapses URL-like origins to host-only values, bypassing exact origin validation...

PT-2026-24377

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.37.1 Envoy versions prior to 1.36.5 Envoy versions prior to 1.35.8 Envoy versions prior to 1.34.13 Description Envoy is a high-performance edge/middle/service proxy. The Envoy RBAC Role-Based Access Control filter has...

PT-2026-24626

Summary The Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated...

CVE-2026-25041

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values database name, host, password, etc. without proper sanitization. The password and other...