RUSTSEC-2026-0141 TLS hostname verification disabled when using Boring TLS backend

An inverted-boolean bug in lettre's boring-tls integration silently disables TLS hostname verification for callers using the default strict configuration. An on-path attacker presenting any chain-valid certificate for any domain can intercept SMTP submission, including PLAIN/LOGIN credentials and...

com.instaclustr:cassandra-ldap-4.1.0 (=1.0.0), com.instaclustr:ic-sstable-tools-4.1.0 (=1.0.0) +12 more potentially affected by CVE-2026-32588 via org.apache.cassandra:cassandra-all (>=4.1.0 <=4.1.10)

org.apache.cassandra:cassandra-all MAVEN version =4.1.0, =4.1.0, =4.1.0, =4.1.0, =1.0-Beta3, =3.15, =3.15, =4.2 - org.odpi.egeria:open-metadata-assemblies =3.15 Source cves: CVE-2026-32588 Source advisory: OSV:GHSA-QFFM-GF3J-6MVG...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-31868 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-31868 Source advisory: OSV:GHSA-V5HF-F4C3-M5RV...

chromatrace (>=0.1.6 <=0.1.7), ddos-blocker (>=0.0.3 <=0.0.13) +21 more potentially affected by CVE-2025-64460 via django (>=5.1.0 <=5.1.14)

django PYPI version =5.1.0, =0.1.6, =0.0.3, =0.0.15, =2.7.0, =1.0.3, =0.6.2, =5.1.0, =0.2.30, =1.42.2, =1.21.0, =1.21.1.dev5 and more Source cves: CVE-2025-64460 Source advisory: OSV:PYSEC-2025-109...

org.glassfish.main.admingui:console-cluster-plugin (>=3.1.2 <=9.0.0-M2), org.glassfish.main.admingui:console-commandrecorder-plugin (>=7.0.16 <=9.0.0-M2) +16 more potentially affected by CVE-2024-9342 via org.glassfish.main.admingui:console-common (>=3.1.2 <=9.0.0-M2)

org.glassfish.main.admingui:console-common MAVEN version =3.1.2, =3.1.2, =7.0.16, =3.1.2, =3.1.2, =3.1.2, =3.1.2, =3.1.2, =4.0, =3.1.2, =4.0, =3.1.2, =4.0, =4.0, =6.2.5, =9.0.0-M2 and more Source cves: CVE-2024-9342 Source advisory:...

animl (>=1.1.2 <=1.1.4), arekit (>=0.21.0 <=0.22.1) +182 more potentially affected by CVE-2022-35990 via tensorflow-gpu (>=1.10.1 <=2.7.0)

tensorflow-gpu PYPI version =1.10.1, =1.1.2, =0.21.0, =0.23.0, =0.9.2, =1.0.0, =0.1.0, =0.0.1, =0.0.9, =0.1.0, =0.0.1, =1.0.0, =1.0.3 - brainhance =0.0.1 and more Source cves: CVE-2022-35990 Source advisory: OSV:GHSA-H7FF-CFC9-WMMH...

co.paralleluniverse:comsat-actors-undertow (=0.1.0), com.github.wuic:wuic-test (>=0.5.0 <=0.5.2.RC6) +86 more potentially affected by CVE-2014-7816 via io.undertow:undertow-core (>=1.0.0.Alpha1 <=1.0.16.Final)

io.undertow:undertow-core MAVEN version =1.0.0.Alpha1, =0.5.0, =1.0, =0.4.1, =0.4.1, =1.0.0.CR1, =1.0.0.Alpha1, =1.0.0.Alpha1, =1.0.0.Alpha1, =1.0.0, =0.3.0.CR1, =0.5.0.Final - org.jboss.arquillian.container:shrinkwrap-container-undertow =1.0.0.Alpha2 and more Source cves: CVE-2014-7816 Source...

UBUNTU-CVE-2021-39938

A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted...

jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.

A new polymorphic typing flaw was discovered in FasterXML jackson-databind, versions 2.x through 2.9.9. With default typing enabled, an attacker can send a specifically crafted JSON message to the server that allows them to read arbitrary local files...