CVE-2026-5766 Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

CVE-2026-5766

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

SUSE-SU-2026:21504-1 Security update for the Linux Kernel (Live Patch 14 for SUSE Linux Enterprise Micro 6.0)

This update for the SUSE Linux Enterprise Kernel 6.4.0-38.1 fixes various security issues The following security issues were fixed: - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI bsc1252048. - CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting ...

CVE-2026-27644

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported...

SUSE-SU-2026:21476-1 Security update for the Linux Kernel RT (Live Patch 14 for SUSE Linux Enterprise Micro 6.0)

This update for the SUSE Linux Enterprise Kernel 6.4.0-38.1 fixes various security issues The following security issues were fixed: - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI bsc1252048. - CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting ...

SUSE-SU-2026:21513-1 Security update for the Linux Kernel RT (Live Patch 13 for SUSE Linux Enterprise Micro 6.0)

This update for the SUSE Linux Enterprise Kernel 6.4.0-37.1 fixes various security issues The following security issues were fixed: - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI bsc1252048. - CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting ...

EUVD-2026-27313

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205

Summary IBM Maximo Application Suite - Visual Inspection component uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-27205 DESCRIPTION: Flask is a web...

DarkSword Malware

DarkSword is a sophisticated piece of malware--probably government designed--that targets iOS. Google Threat Intelligence Group GTIG has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, ...

CVE-2026-42034

A flaw was found in Axios. A remote attacker can exploit this vulnerability by sending oversized streamed uploads. This occurs when the maxRedirects setting is configured to 0, which bypasses the maxBodyLength limit for stream request bodies. Consequently, the system will process the full oversiz...

linux-copy-fail-exploit

CVE-2026-31431 Copy Fail - LPE Exploit PoC !Pythonhttps:...

SUSE-SU-2026:21547-1 Security update for strongswan

This update for strongswan fixes the following issues: Update to version 6.0.6 jscPED-16145. Security issued fixed: - CVE-2026-35328: infinite loop when handling supported versions TLS extension bsc1261712. - CVE-2026-35329: NULL pointer dereference when processing padding in PKCS7 bsc1261717. -...

SUSE-SU-2026:1691-1 Security update for the Linux Kernel RT (Live Patch 8 for SUSE Linux Enterprise 15 SP7)

This update for the SUSE Linux Enterprise kernel 6.4.0-150700.7.28 fixes various security issues The following security issues were fixed: - CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in etsqdiscchange bsc1258005. - CVE-2026-23004: dst: fix races in...

CVE-2026-6704

The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

EUVD-2026-25601

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0...

GHSA-5C9X-8GCM-MPGX Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Summary For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits. Details Relevant flow in lib/adapters/http.js: - 556-564: maxBodyLength check applie...

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Summary For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits. Details Relevant flow in lib/adapters/http.js: - 556-564: maxBodyLength check applie...

NPM: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Response Tampering, Data Exfiltration, and Request Hijacking vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

PT-2026-36991

Name of the Vulnerable Software and Affected Versions Apache Thrift versions prior to 0.23.0 Description An issue exists involving memory allocation with an excessive size value. Recommendations Upgrade to version 0.23.0...