Lucene search
K
AlpinelinuxRecent

13018 matches found

AlpineLinux
AlpineLinux
added 2026/05/13 7:28 p.m.17 views

CVE-2026-28376

The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions. An authenticated user with access to the Grafana Live API can trigger this issue...

6.5CVSS5.8AI score0.00328EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/13 7:28 p.m.12 views

CVE-2026-28379

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server...

6.5CVSS5.8AI score0.00262EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/13 3:20 p.m.15 views

CVE-2026-44431

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connectionfromurl.urlopen..., assertsamehost=False still forward these sensitive headers. This vulnerability is fixed in 2.7.0...

8.2CVSS5.8AI score0.00527EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/05/13 3:17 p.m.13 views

CVE-2026-44432

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion 1 during the second HTTPResponse.readamt=N call when the response was decompressed using the official Brotli library or 2 when...

8.9CVSS5.8AI score0.0068EPSS
Exploits0References48
AlpineLinux
AlpineLinux
added 2026/05/13 3:8 p.m.9 views

CVE-2026-42266

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager allowedextensionsuris is not correctly enforced by JupyterLab. The Py...

8.8CVSS5.8AI score0.0053EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2026/05/13 3:6 p.m.9 views

CVE-2026-42557

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...

9.6CVSS6.3AI score0.00386EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/13 2:12 p.m.13 views

CVE-2026-42926

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...

6.3CVSS5.8AI score0.00339EPSS
Exploits1
AlpineLinux
AlpineLinux
added 2026/05/13 2:12 p.m.15 views

CVE-2026-40460

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

6.9CVSS5.8AI score0.00367EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/13 2:12 p.m.14 views

CVE-2026-42934

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When charset, sourcecharset, and charsetmap and proxypass with disabled buffering "off" directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' contr...

6.3CVSS6.1AI score0.00717EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/13 2:12 p.m.8 views

CVE-2026-42946

A vulnerability exists in the ngxhttpscgimodule and ngxhttpuwsgimodule modules that may result in excessive memory allocation or an over-read of data. When scgipass or uwsgipass is configured, an unauthenticated attacker with man-in-the-middle MITM ability to control responses from an upstream...

8.3CVSS6AI score0.00932EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/13 2:12 p.m.12 views

CVE-2026-40701

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpsslmodule module when the sslverifyclient directive is set to "on" or "optional," and the sslocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacke...

6.3CVSS6AI score0.00677EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/13 2:12 p.m.11 views

CVE-2026-42945

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttprewritemodule module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression PCRE capture for example, $1, $2 with a replacement strin...

9.2CVSS6.4AI score0.61469EPSS
Exploits40
AlpineLinux
AlpineLinux
added 2026/05/13 12:40 p.m.12 views

CVE-2026-8463

Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2verify on empty encoded input. The auto-detect form of argon2verify passes encodedlen - 1 as the length argument to memchr without checking that encodedlen is non-zero. When the encoded string is...

5.3CVSS5.8AI score0.00327EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/13 8:29 a.m.9 views

CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

5.3CVSS5.8AI score0.00471EPSS
Exploits1References4
AlpineLinux
AlpineLinux
added 2026/05/13 8:28 a.m.12 views

CVE-2026-7009

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine...

5.3CVSS5.8AI score0.00267EPSS
Exploits1
AlpineLinux
AlpineLinux
added 2026/05/13 8:28 a.m.25 views

CVE-2026-6429

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances...

5.3CVSS5.8AI score0.00519EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/05/13 8:28 a.m.10 views

CVE-2026-6276

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second reques...

7.5CVSS5.8AI score0.00291EPSS
Exploits1References4
AlpineLinux
AlpineLinux
added 2026/05/13 8:28 a.m.9 views

CVE-2026-6253

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

5.9CVSS5.8AI score0.00639EPSS
Exploits1References4
AlpineLinux
AlpineLinux
added 2026/05/13 8:27 a.m.15 views

CVE-2026-5773

libcurl might in some circumstances reuse the wrong connection for SMBS transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the...

7.5CVSS5.8AI score0.00549EPSS
Exploits1References4
AlpineLinux
AlpineLinux
added 2026/05/13 8:27 a.m.34 views

CVE-2026-5545

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTPS request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid...

6.5CVSS5.8AI score0.00414EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/05/13 8:27 a.m.22 views

CVE-2026-4873

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text via IMAP, SMTP, or POP3, a subsequent request to that same host bypasses the TLS requirement and instead transm...

5.9CVSS5.8AI score0.00329EPSS
Exploits1References4
AlpineLinux
AlpineLinux
added 2026/05/12 9:37 p.m.9 views

CVE-2026-44301

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...

8.6CVSS5.8AI score0.00274EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/12 4:59 p.m.10 views

CVE-2026-42899

Loop with unreachable exit condition 'infinite loop' in ASP.NET Core allows an unauthorized attacker to deny service over a network...

7.5CVSS5.8AI score0.0243EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/12 4:59 p.m.7 views

CVE-2026-32175

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the...

4.3CVSS5.9AI score0.00711EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/12 4:58 p.m.10 views

CVE-2026-35433

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally...

7.3CVSS5.2AI score0.00662EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/12 4:58 p.m.11 views

CVE-2026-32177

Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally...

7.3CVSS5.9AI score0.00551EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/12 4:35 p.m.20 views

CVE-2025-35979

Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some IntelR Processors within VMX non-root guest operation may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a...

6.8CVSS5.8AI score0.00096EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/12 2:24 p.m.13 views

CVE-2026-8401

Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11...

9.8CVSS5.8AI score0.00313EPSS
Exploits0References5
AlpineLinux
AlpineLinux
added 2026/05/12 1:28 p.m.20 views

CVE-2026-40020

Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imapaclallowanyone=no. This causes folders to be spammed to all users. The impact is limited to being able to spam folders to other users, no unexpected access is gained. Install to fixed...

4.3CVSS5.8AI score0.00271EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/12 1:28 p.m.16 views

CVE-2026-42006

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass t...

7.5CVSS5.7AI score0.00667EPSS
Exploits1References4
AlpineLinux
AlpineLinux
added 2026/05/12 1:28 p.m.16 views

CVE-2026-40016

Attacker can upload a malicious Sieve script over ManageSieve service or locally to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed...

6.5CVSS5.7AI score0.00338EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/12 1:28 p.m.13 views

CVE-2026-33603

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

6.8CVSS5.8AI score0.00222EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/05/12 1:28 p.m.12 views

CVE-2026-27851

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No...

9.1CVSS5.8AI score0.00406EPSS
Exploits0References4
AlpineLinux
AlpineLinux
added 2026/05/12 12:36 p.m.14 views

CVE-2026-8391

Other issue in the JavaScript Engine component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11...

5.3CVSS5.8AI score0.00298EPSS
Exploits0References5
AlpineLinux
AlpineLinux
added 2026/05/12 12:36 p.m.10 views

CVE-2026-8390

Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.0.3...

7.3CVSS5.8AI score0.0026EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/05/12 12:36 p.m.13 views

CVE-2026-8389

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3...

7.3CVSS5.8AI score0.00331EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/05/12 12:36 p.m.9 views

CVE-2026-8388

Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11...

6.5CVSS5.8AI score0.00244EPSS
Exploits0References5
AlpineLinux
AlpineLinux
added 2026/05/12 12:0 a.m.14 views

CVE-2026-45185

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS closenotify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to...

9.8CVSS6.2AI score0.01225EPSS
Exploits2References8
AlpineLinux
AlpineLinux
added 2026/05/11 10:1 p.m.8 views

CVE-2026-43913

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, an...

8.1CVSS5.8AI score0.00267EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 9:56 p.m.11 views

CVE-2026-43912

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

8.7CVSS5.9AI score0.00289EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 9:54 p.m.10 views

CVE-2026-43911

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's securitystamp is rotated by some security-sensitive operations password change, KDF change, key rotation, email change, org admin password reset, emergency access...

8.1CVSS5.8AI score0.00216EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 7:46 p.m.10 views

CVE-2026-42050

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a malicious MIFF file could trigger an overflow when a user opens it in the display tool and right-clicks a tile to invoke the Load / Update menu item. This vulnerabilit...

5.5CVSS5.9AI score0.0013EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/05/11 5:24 p.m.12 views

CVE-2026-43896

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jvobjectmergerecursive allows a crafted jq program to crash the process with a segfault. The function is reachable through the operator when both operands are objects...

6.2CVSS5.8AI score0.00154EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 5:24 p.m.11 views

CVE-2026-43895

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy o...

4.4CVSS5.9AI score0.00157EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 5:23 p.m.11 views

CVE-2026-44777

jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other...

6.8CVSS5.8AI score0.00161EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 5:20 p.m.11 views

CVE-2026-43894

jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INTMAX-1 2147483646 digits, the D2U macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-by...

6.2CVSS5.8AI score0.00158EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 5:18 p.m.11 views

CVE-2026-41256

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before...

6.3CVSS5.9AI score0.00256EPSS
Exploits2References1
AlpineLinux
AlpineLinux
added 2026/05/11 5:16 p.m.8 views

CVE-2026-40612

jq is a command-line JSON processor. In 1.8.1 and earlier, jvcontains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure built programmatically with reduce, since the JSON parser caps at depth 10000, the C stack is exhausted...

6.8CVSS5.8AI score0.00161EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 5:14 p.m.10 views

CVE-2026-41257

jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB via deeply nested generator forks, the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for ...

7.3CVSS5.8AI score0.00142EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 4:48 p.m.9 views

CVE-2026-5172

A buffer overflow in dnsmasq’s extractaddresses function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extractname to advance the pointer past the record’s end...

7.5CVSS6AI score0.00933EPSS
Exploits1
Total number of security vulnerabilities13018