EUVD-2025-203462

Weblate has a Server-Side Request Forgery issue...

Astra Linux - уязвимость в linux-5.10, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: vcscreen: The load of the struct vcdata pointer in vcsread was moved to avoid a Use-After-Free UAF condition. After a call to consoleunlock in vcsread, the struct vcdata structure can be freed using vcdeallocate. Therefore, the...

Astra Linux - уязвимость в linux-5.10, linux

In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer The syzbot report indicates a kernel vulnerability at the vcsread function 1. The buffer can be read immediately after the resizing operation. The buffer is initialized using kzalloc. c...

Astra Linux - уязвимость в python-pip

When installing a package from a Mercurial VCS URL e.g., “pip install hg+…” using pip before version 23.3, the specified Mercurial revision could be used to inject arbitrary configuration options into the “hg clone” call e.g., “--config”. Controlling the Mercurial configuration allows modifying t...

Astra Linux - уязвимость в linux, linux-5.15, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: vcscreen: reload load of struct vcdata pointer in vcswrite to avoid UAF After a call to consoleunlock in vcswrite the vcdata struct can be freed by vcportdestruct. Because of that, the struct vcdata pointer must be reloaded in th...

Astra Linux - уязвимость в composer

Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call VcsDriver::getFileContent can have a code injection vulnerability if the user can control the $file or $identifier argument. This leads to a vulnerability on packagist.org for example where...

Astra Linux - уязвимость в linux-5.10, linux, linux-5.15

A use-after-free flaw was discovered in vcsread in drivers/tty/vt/vc-screen.c within vc-screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information...

K000160934: Multiple Go vulnerabilities

Security Advisory Description CVE-2023-45285 Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This onl...

CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS version control softwa...

CVE-2026-32948 sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

CVE-2026-32948 sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

MiracleLinux 9 : golang-1.24.6-1.el9_6 (AXSA:2025-10754:04)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10754:04 advisory. cmd/go: Go VCS Command Execution Vulnerability CVE-2025-4674 Tenable has extracted the preceding description block directly from the MiracleLinux security...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000305)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000305 advisory. vcswrite in drivers/tty/vt/vcscreen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a. Tenable has extracted t...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992369)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-992369 advisory. In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer syzbot reports kernel infoleak at vcsread 1, for buffe...

CVE-2025-68165

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...

EUVD-2025-203765

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...

CVE-2025-68165

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...

CVE-2025-66407

Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is...

PT-2025-51716

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...