Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer The syzbot report indicates a kernel vulnerability at the vcsread function 1. The buffer can be read immediately after the resizing operation. Initialize the buffer using kzalloc...

CVE-2026-50127 Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCSRESTRICTPRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions...

Weblate 代码问题漏洞

Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 2026.6 had code-related vulnerabilities. These vulnerabilities stemmed from the improper handling of some transition IPv6 ranges, multicast addresses, and partially...

OESA-2026-2541 python-pip security update

pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %b=$pkg-config --variable=completionsdir bash-completion 2/dev/null; echo $b:-/bashcompletion.d Name: python-pip Version: 20.2.2 Release: 4 Summary: A...

EUVD-2025-203462

Weblate has a Server-Side Request Forgery issue...

Astra Linux - уязвимость в python-pip

When installing a package from a Mercurial VCS URL e.g., “pip install hg+…” using pip before version 23.3, the specified Mercurial revision could be used to inject arbitrary configuration options into the “hg clone” call e.g., “--config”. Controlling the Mercurial configuration allows modifying t...

Astra Linux - уязвимость в linux-5.10, linux, linux-5.15

A use-after-free flaw was discovered in vcsread in drivers/tty/vt/vc-screen.c within vc-screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information...

Astra Linux – Vulnerability in Composer

Composer is a dependency manager for the PHP programming language. Integrators who use Composer code to call VcsDriver::getFileContent may encounter a code injection vulnerability if the user can control the $file or $identifier arguments. This vulnerability is documented on packagist.org, where...

Astra Linux – Vulnerabilities in Linux, Linux-5.15, Linux-5.10

In the Linux kernel, the following vulnerability has been resolved: vcscreen: The load of the struct vcdata pointer in vcswrite was reloaded to avoid a Use-After-Free UAF condition. After a call to consoleunlock in vcswrite, the struct vcdata structure can be freed using vcportdestruct. Therefore...

Astra Linux – Vulnerability in Linux 5.10, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: vcscreen: The load of the struct vcdata pointer in vcsread was moved to avoid a Use-After-Free UAF condition. After a call to consoleunlock in vcsread, the struct vcdata structure can be freed using vcdeallocate. Therefore, the...

K000160934: Multiple Go vulnerabilities

Security Advisory Description CVE-2023-45285 Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This onl...

CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS version control softwa...

CVE-2026-32948 sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

CVE-2026-32948 sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

MiracleLinux 9 : golang-1.24.6-1.el9_6 (AXSA:2025-10754:04)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10754:04 advisory. cmd/go: Go VCS Command Execution Vulnerability CVE-2025-4674 Tenable has extracted the preceding description block directly from the MiracleLinux security...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000305)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000305 advisory. vcswrite in drivers/tty/vt/vcscreen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a. Tenable has extracted t...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992369)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-992369 advisory. In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer syzbot reports kernel infoleak at vcsread 1, for buffe...

CVE-2025-68165

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...

EUVD-2025-203765

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...