EUVD-2026-34014

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a...

CVE-2026-8468 Unbounded buffer accumulation in multipart header parsing causes denial of service in plug

Allocation of Resources Without Limits or Throttling vulnerability in plugproject plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':readpartheaders/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on t...

CVE-2026-39803 HTTP/1 chunked body reader ignores length cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when...

Security update for python-poetry

This update for python-poetry fixes the following issue: CVE-2026-34591: From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write bsc1261383. Patch Instructions: To install this SUSE upda...

CVE-2026-39616

Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through = 1.4.0...

SUSE CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

Zulip 路径遍历漏洞

Zulip is a powerful open-source chat application developed by the US company Zulip. It combines the immediacy of real-time conversations with the productivity benefits of threaded dialogue. Versions of Zulip from 1.4.0 to 11.6 contained a path traversal vulnerability, which was caused by a flaw i...

5gasp-cli (>=0.1.0 <=0.4.0), aia-read-svc (>=0.5.1 <=0.6.2) +394 more potentially affected by CVE-2026-34591 via poetry (>=1.4.0 <=2.3.2)

poetry PYPI version =1.4.0, =0.1.0, =0.5.1, =2023.2.21, =0.2.0rc3, =0.1.0, =0.1.1, =0.6.0.68, =0.0.1, =0.1.0rc7, =0.0.2, =0.0.3 and more Source cves: CVE-2026-34591 Source advisory: OSV:GHSA-2599-H6XX-HPXP...

CLEANSTART-2026-TG67287 Security fixes for CVE-2025-61732, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 1.4.0-r0, 1.4.0-r1

Multiple security vulnerabilities affect the kubernetes-dashboard-auth-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

article-extract (>=0.1.2 <=0.1.3), athlinks-races (>=0.0.4 <=0.0.7) +51 more potentially affected by unknown CVE via scrapy (>=1.4.0 <=2.14.1)

scrapy PYPI version =1.4.0, =0.1.2, =0.0.4, =3.4.0, =2.8.3, =0.0.1.dev1, =1.3.0, =1.2.1.20160901, =0.2.0, =0.0.5, =0.2.4, =0.0.2, =0.3.0a0, =0.0.20, =0.0.34 and more Source cves: unknown CVE Source advisory: OSV:GHSA-CWXJ-RR6W-M6W7...

CVE-2026-28356 ReDoS in multipart 1.3.0 - `parse_options_header()`

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...

python-multipart 安全漏洞

python-multipart is a Python-based streaming multipart parser developed by Marcelo Trylesinski. Versions prior to 1.2.2, 1.3.1, and 1.4.0-dev contained security vulnerabilities. These vulnerabilities stemmed from the use of ambiguous regular expressions in the parseoptionsheader function, which...

CVE-2026-24783

soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the mulDivx, y, z function incorrectly handled cases where both the intermediate product $x y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was...

africa.absa:inception-test (>=1.0.0 <=1.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess (>=0.1.0 <=0.2.0) +7515 more potentially affected by CVE-2026-24400 via org.assertj:assertj-core (>=1.4.0 <=3.27.6)

org.assertj:assertj-core MAVEN version =1.4.0, =1.0.0, =0.1.0, =0.1.0, =0.0.62, =0.7.0, =0.0.10, =0.0.6, =0.8.38, =20.3.3, =20.3.3, =20.3.3, =20.3.3, =20.3.3, =20.3.3, =26.3.1 and more Source cves: CVE-2026-24400 Source advisory: OSV:GHSA-RQFH-9R24-8C9R...

WordPress plugin Hotel Listing cross-site scripting vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Horilla Access Control Vulnerability

Horilla is a free open-source human resources software developed by Horilla Company. Versions of Horilla 1.4.0 and later contain an access control vulnerability. This vulnerability stems from the unauthorized access to unpublished recruitment information, which may lead to the leakage of sensitiv...

CVE-2026-23736 seroval Affected by Prototype Pollution via JSON Deserialization

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON...

CVE-2023-43668

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or...

CVE-2024-39653

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in E4J s.R.L. VikRentCar allows SQL Injection.This issue affects VikRentCar: from n/a through 1.4.0...

Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Prototype Pollution flaw due to lodash.clonedeep

Summary lodash.clonedeep is used by BM watsonx Orchestrate Developer Edition as part of images: agentic-task-manager, wxo-builder-ui, wxo-connections Vulnerability Details CVEID:CVE-2018-16487 DESCRIPTION: A prototype pollution vulnerability was found in lodash 4.17.11 where the functions merge,...