CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

CVE-2026-55388

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...

CVE-2026-50169

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

CVE-2026-50184

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

CVE-2026-55388

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...

CVE-2026-55388

Summary: CVE-2026-55388 affects piscina (node.js worker pool). Before versions 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina reads options.filename by plain member access in both the constructor and run() paths, allowing the read to fall through the prototype chain. If Object.prototype.filename is pollut...

CVE-2026-54264

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Servi...

CVE-2026-50184 Angular: Request Credential & Cache Policy Stripping in Angular Service Worker

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

CVE-2026-50184

Summary (CVE-2026-50184) : The vulnerability affects the Angular ecosystem, specifically the @angular/service-worker package. When the service worker reconstructs outbound requests, an internal helper strips client-specified safety parameters (credentials: omit and cache: no-store), reverting the...

CVE-2026-50184

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

CVE-2026-50169

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

CVE-2026-50169

The CVE-2026-50169 issue affects the Angular service worker (@angular/service-worker). The vulnerability stems from the request reconstruction path in the service worker, where an internal helper strips strict client-defined redirect policies (for example redirect: 'error'), causing the browser t...

CVE-2026-50169 Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

CVE-2026-54264 Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Servi...

CVE-2026-54264

Angular’s @angular/service-worker contains an information-disclosure flaw prior to versions 22.0.1, 21.2.17, and 20.3.25. When the Service Worker fetches assets, it preserves request headers; on cross-origin redirects it does not strip sensitive headers, potentially exposing credentials (e.g., Au...

RHSA-2026:27732 Red Hat Security Advisory: yggdrasil-worker-package-manager security update

Bulletin has no description...

Moderate: Red Hat Security Advisory: yggdrasil-worker-package-manager security update

An update for yggdrasil-worker-package-manager is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

CVE-2026-5366

Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the GitRepository storage class. The commitsha parameter, which is passed to git commands, lacks validation and does not include a -- separator to distinguish user input from git...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: cifs: A use-after-free bug has been fixed in refreshcacheworker. The UAF bug occurred because we were putting DFS root sessions into cifsumount while the DFS cache refresher was executing. We have ensured that DFS root session...

Astra Linux – Vulnerability in Mariadb 10.3

MariaDB Server before version 10.7 is vulnerable to Denial of Service attacks. In the file extra/mariabackup/dscompress.cc, when an error occurs i.e., transitioning to the err label during the execution of the createworkerthreads method, the held lock thd-ctrlmutex is not released properly. This...