161917 matches found
CVE-2026-47737
CVE-2026-47737 affects the Puma Ruby/Rack web server. From 5.5.0 up to 7.2.1 and 8.0.2, it is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used. Puma re-parses PROXY protocol headers after each keep-alive on the same connec...
CVE-2026-48069
@grpc/grpc-js (pure JavaScript implementation) is affected by a crash when processing an invalid incoming compressed message. Affected versions: prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4. Fixed in 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4. Remediation: upgrade to the ...
CVE-2026-47428
Vitest browser mode is affected by an XSS in which the otelCarrier query parameter is inserted directly into an inline script. Affected versions are 4.0.17 through 4.1.6 and 5.0.0-beta.3; this can allow an attacker to craft a browser-runner URL to execute arbitrary JavaScript in the Vitest server...
CVE-2026-48038
Joi (JavaScript) vulnerability CVE-2026-48038: In versions prior to 17.13.4 and 18.2.1, validation of deeply nested user input via recursive link() schemas can trigger an unhandled RangeError when validate() runs without try/catch, potentially crashing the process. Fixed in 17.13.4 and 18.2.1. CV...
CVE-2026-48489
CVE-2026-48489 (Symfony) : A logic flaw in the DefaultAuthenticationFailureHandler with failure_forward enabled allowed an unauthenticated login failure to dispatch a subrequest to access_control-protected GET routes, bypassing firewall listeners. This affected Symfony versions prior to 5.4.53, 6...
CVE-2026-48760
Symfony HtmlSanitizer/UrlSanitizer::parse() had an underinclusive denial for BiDi formatting characters and Unicode whitespace, allowing percent-encoded BiDi marks to bypass the check. The issue affects UrlSanitizer::parse() behavior from Symfony 6.1.0 up to 6.4.41, 7.4.13, and 8.0.13, where raw ...
CVE-2026-45305
Summary of CVE-2026-45305 (Symfony YAML Parser ReDoS) Symfony’s YAML handling (Symfony\Component\Yaml\Parser::cleanup) can hang parsing crafted input due to the use of overlapping quantifiers in regular expressions for YAML directive, comment, and document marker cleanup. This is a client-side pa...
CVE-2026-45073
Symfony uses a PdoAdapter::doClear() that builds a DELETE with a namespace-derived prefix not bound or escaped, allowing an attacker-controlled prefix to escape the LIKE literal and alter deletion scope. A fix is included in Symfony versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. Affected component:...
EUVD-2026-36132
Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges...
2026-07 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 for x64 (KB5102204)
2026-07 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 for x64 KB5102204...
BIT-PROMETHEUS-2026-42154 Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...
ROOT-APP-PYPI-CVE-2026-22701 CVE-2026-22701 in rootio-filelock - Patched by Root
Root has patched CVE-2026-22701 in the rootio-filelock package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-68146 CVE-2025-68146 in rootio-filelock - Patched by Root
Root has patched CVE-2025-68146 in the rootio-filelock package for Root:PyPI. Multiple fixed versions available...
CVE-2026-59840
Fortinet FortiOS (7.6.0–7.6.2, 7.4.0–7.4.8, 7.2 all) and FortiProxy (7.6.0–7.6.5, 7.4.0–7.4.13, 7.2 all) are affected by a buffer over-read that may lead to information disclosure. Root cause described as a buffer over-read affecting multiple Fortinet products; the exact attack vector is not spec...
CVE-2026-59839
CVE-2026-59839 describes a path traversal vulnerability: improper limitation of a pathname to a restricted directory in Fortinet products, affecting FortiOS (versions 7.6.0–7.6.6, 7.4.0–7.4.9, 7.2.x, 7.0.x, 6.4.x), FortiPAM (1.8.0 down to 1.0, all 1.x releases), and FortiProxy (7.6.0–7.6.5, 7.4–7...
CVE-2026-59836
CVE-2026-59836 describes an improper certificate validation in Fortinet FortiClientEMS affecting FortiClientEMS 7.4.3–7.4.5, 7.4.0–7.4.1, and all 7.2 versions. The underlying issue is certificate validation failure, leading to information disclosure. The documents do not provide a concrete exploi...
CVE-2025-53379
Fortinet FortiAuthenticator is affected by CVE-2025-53379, an out-of-bounds read vulnerability in FortiAuthenticator 6.6.0–6.6.2 and all 6.5 versions. A remote unauthenticated attacker could potentially retrieve sensitive information via a specially crafted request. The CVSSv3.1 vector is NETWORK...
CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauthapple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback idtoken against Apple's JWKS but does not validate any registered...
CVE-2026-55954
CVE-2026-55954 affects ueberauth_apple (v0.1.0 up to but not including v0.6.2). The root cause is lack of validation for registered ID token claims (iss, aud, exp, iat) in Ueberauth.Strategy.Apple.Token.payload/2; the code uses the unvalidated sub to derive the user uid and email. An attacker who...
CVE-2026-15265
Tenable Agent 11.2.0 and 11.1.3 and lower are affected by a path traversal vulnerability that lets a privileged attacker write arbitrary files outside the intended plugin directory, potentially enabling remote code execution. The CVSS metrics indicate a network-accessible issue with high impact o...