Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: golang (UTSA-2026-016821)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016821 advisory. Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to...

Unity Linux 20.1050e / 20.1070e Security Update: golang (UTSA-2026-017392)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017392 advisory. A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates...

Astra Linux - уязвимость в golang-1.19, golang-1.23

A certificate with a URI that has an IPv6 address and a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not allowed in web PKIs; therefore, this only affects users of private PKIs that use URIs...

curl: libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms

Summary: libcurl omits the IPv6 zoneid component from multiple security-sensitive host identity decisions even though the connection layer still routes by zoneid. As a result, two distinct scoped/link-local destinations such as fe80::X%zoneA and fe80::X%zoneB are treated as the same host by...

Security Bulletin: IBM Storage Protect Server is susceptible to a vulnerability due to Golang net library

Summary Golang net library is used by the IBM Storage Protect Server Object Agent and OSSM component. Golang net is vulnerable to IPv6 zone ID mishandling leading to proxy bypass, This bulletin identifies the steps to address the vulnerabilities. CVE-2025-22870. Vulnerability Details...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a misinterpretation of Input in golang.org/x/net/proxy [CVE-2025-22870]

Summary IBM Watson Speech Services Cartridge is vulnerable to a misinterpretation of Input in golang.org/x/net/proxy, due to matching of hosts against proxy patterns which can improperly treat an IPv6 zone ID as a hostname component CVE-2025-22870. Golang is used in our speech utilities. This...

EUVD-2025-29764

Malicious code in bioql PyPI...

Security Bulletin: Multiple vulnerabilities in IBM Aspera HTTP Gateway

Summary Multiple vulnerabilities were addressed in IBM Aspera HTTP Gateway version 2.3.2. Vulnerability Details CVEID:CVE-2025-36274 DESCRIPTION: IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. CWE:CWE-312...

GO-2025-3967 esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh

esm.sh has arbitrary file write via path traversal in X-Zone-Id header in github.com/esm-dev/esm.sh...

CVE-2025-59342

esm.sh is a nobuild content delivery networkCDN for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a...

esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header

Summary A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s...

GHSA-G2H5-CVVR-7GMW esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header

Summary A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s...

CVE-2025-59342

esm.sh is a nobuild content delivery networkCDN for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a...

CVE-2025-59342 esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header

esm.sh is a nobuild content delivery networkCDN for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a...

CVE-2025-59342 esm.sh writes arbitrary files via path traversal in `X-Zone-Id` header

esm.sh is a nobuild content delivery networkCDN for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a...

CVE-2025-59342

esm.sh (nobuild CDN) has a path traversal flaw via the X-Zone-Id header that allows writing files outside the intended storage directory. The issue affects version 136 and earlier; the header is used to build a filesystem path without proper canonicalization or storage-base confinement, enabling ...

PT-2025-38248

Name of the Vulnerable Software and Affected Versions esm.sh versions 136 and earlier Description A path-traversal flaw exists in the handling of the X-Zone-Id HTTP header. The header value is used to construct a filesystem path without proper sanitization or restriction to the application’s...

esm.sh 安全漏洞

esm.sh is a content delivery network open-sourced by esm.sh. A security vulnerability exists in esm.sh version 136 and earlier, which stems from improper handling of the X-Zone-Id HTTP header and could lead to a path traversal attack...

thermal: core: Reference count the zone in thermal_zone_get_by_id()

...

curl: Incorrect Parsing of IPv6 Zone ID in curl

I'm Zehui Miao from NISL@THU. During recent research, our team identified a parsing inconsistency in the curl. 0x01 Affected components 1.1 Affected components • C Curl • Versions: tested in 8.4.0 • CLAIMS TO FOLLOW: RFC-3986 1.2 Attack scenario The threat model illustrated in Figure 1 explains t...