Lucene search
K
AlpinelinuxRecent

13033 matches found

AlpineLinux
AlpineLinux
•added 2026/03/30 7:7 p.m.•1 views

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7AI score0.26356EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/30 7:7 p.m.•3 views

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

5.3CVSS6.5AI score0.00454EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/30 7:7 p.m.•3 views

CVE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

3.3CVSS6.5AI score0.00158EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/30 7:7 p.m.•2 views

CVE-2026-21716

An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod and FileHandle.chown in the promises API without the required permission checks, while their callback-based equivalents fs.fchmod, fs.fchown were correctly patched. As a result, code running under --permission with restricted...

3.3CVSS6.7AI score0.00159EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/30 6:27 p.m.•4 views

CVE-2026-34714

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %expr injection occurs with tabpanel lacking PMLE...

9.2CVSS6.3AI score0.00588EPSS
Exploits0References10
AlpineLinux
AlpineLinux
•added 2026/03/30 3:13 p.m.•2 views

CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

5.7CVSS6.2AI score0.00325EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/29 8:50 p.m.•73 views

CVE-2026-4176

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of...

9.8CVSS5.9AI score0.00676EPSS
Exploits1References7
AlpineLinux
AlpineLinux
•added 2026/03/27 10:21 p.m.•2 views

CVE-2026-33996

LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the...

5.8CVSS5.9AI score0.0015EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/03/27 10:8 p.m.•3 views

CVE-2026-33936

The ecdsa PyPI package is a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Prior to version 0.19.2, an issue in the low-level D...

5.3CVSS5.8AI score0.00476EPSS
Exploits1References3
AlpineLinux
AlpineLinux
•added 2026/03/27 2:28 p.m.•4 views

CVE-2026-27879

A resample query can be used to trigger out-of-memory crashes in Grafana...

6.5CVSS5.2AI score0.00376EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 2:26 p.m.•13 views

CVE-2026-28375

A testdata data-source can be used to trigger out-of-memory crashes in Grafana...

6.5CVSS5.2AI score0.00376EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 2:24 p.m.•6 views

CVE-2026-27876

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact RCE. This is enabled by a feature in Grafana OSS, so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the...

9.1CVSS7.1AI score0.01929EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 2:12 p.m.•9 views

CVE-2026-33758

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed...

9.6CVSS5.8AI score0.00287EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 2:12 p.m.•6 views

CVE-2026-27880

The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes...

7.5CVSS5.5AI score0.00772EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 2:10 p.m.•11 views

CVE-2026-33757

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishin...

9.6CVSS5.9AI score0.00411EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 2:2 p.m.•5 views

CVE-2026-27877

When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve...

7.5CVSS5.2AI score0.00298EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 2:0 p.m.•10 views

CVE-2026-33748

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is...

8.2CVSS5.8AI score0.00463EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/27 1:49 p.m.•3 views

CVE-2026-33433

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when headerField is configured with a non-canonical HTTP header name e.g., x-auth-user instead of X-Auth-User, an authenticated attacker can inject their own canonical version of that header to...

8.8CVSS5.9AI score0.00469EPSS
Exploits1References4
AlpineLinux
AlpineLinux
•added 2026/03/27 1:47 p.m.•3 views

CVE-2026-32695

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative rules.hosts was...

7.7CVSS5.9AI score0.00463EPSS
Exploits1References3
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•4 views

CVE-2026-27859

A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much CPU. A suitably formatted mail message causes mail delivery process to consume large amounts of CPU time. Use MTA capabilities to limit RFC 2231 MIME parameters in mail messages, or upgrade to fixed...

5.3CVSS5.9AI score0.00374EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•2 views

CVE-2026-27860

If authusernamechars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out authusernamechars, or install fixed version. No publicly available exploits are...

5.3CVSS5.9AI score0.00286EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•6 views

CVE-2026-27858

Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No public...

7.5CVSS5.2AI score0.0079EPSS
Exploits0References18
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•2 views

CVE-2026-27857

Sending "NOOP ..." command with 4000 parenthesis open+close results in 1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single I...

7.5CVSS5.9AI score0.00667EPSS
Exploits1References18
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•4 views

CVE-2026-27856

Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attack. An attacker can use this to determine the configured credentials. Figuring out the credential will lead into full access to the affected component. Limit access to the doveadm http service port,...

7.4CVSS5.9AI score0.00392EPSS
Exploits1References5
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•4 views

CVE-2026-27855

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If...

6.8CVSS5.9AI score0.00338EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•1 views

CVE-2026-24031

Dovecot SQL based authentication can be bypassed when authusernamechars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear authusernamechars. If this is not possible, install latest fixed version. No publicly available exploits...

8.2CVSS5.9AI score0.00395EPSS
Exploits0References4
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•10 views

CVE-2026-0394

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd or some other pa...

5.3CVSS5.3AI score0.00427EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•6 views

CVE-2025-59032

ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed...

7.5CVSS5.2AI score0.00703EPSS
Exploits1References18
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•3 views

CVE-2025-59028

When sending invalid base64 SASL data, login process is disconnected from the auth server, causing all active authentication sessions to fail. Invalid BASE64 data can be used to DoS a vulnerable server to break concurrent logins. Install fixed version or disable concurrency in login processes hea...

7.5CVSS5.9AI score0.00447EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/03/27 8:10 a.m.•13 views

CVE-2025-59031

Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles zip-style attachments. Attacker can use specially crafted OOXML documents to cause unintended files on the system to be indexed and subsequently ending up in FTS indexes. Do not use the provided...

4.3CVSS5.8AI score0.00283EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/03/27 5:30 a.m.•6 views

CVE-2026-4948

A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus Desktop Bus setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication,...

5.5CVSS5.2AI score0.00118EPSS
Exploits0References3
AlpineLinux
AlpineLinux
•added 2026/03/27 4:55 a.m.•3 views

CVE-2026-34353

In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed...

5.9CVSS5.9AI score0.00114EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/03/27 12:49 a.m.•8 views

CVE-2026-33747

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for...

9.8CVSS6AI score0.00498EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 10:43 p.m.•17 views

CVE-2026-33897

Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used to cause arbitrary read or writes as root on the host server. Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to...

9.9CVSS6AI score0.00481EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/03/26 10:40 p.m.•11 views

CVE-2026-33743

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a...

6.5CVSS5.8AI score0.00385EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/03/26 10:37 p.m.•8 views

CVE-2026-33711

Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable...

7.8CVSS6AI score0.0035EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/03/26 10:32 p.m.•3 views

CVE-2026-33542

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker...

7.1CVSS5.8AI score0.0018EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/03/26 10:30 p.m.•2 views

CVE-2026-34352

In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions...

9.8CVSS5.9AI score0.00247EPSS
Exploits0References5
AlpineLinux
AlpineLinux
•added 2026/03/26 8:6 p.m.•3 views

CVE-2026-0965

A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service DoS by causing the system t...

3.3CVSS6AI score0.00158EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 8:6 p.m.•4 views

CVE-2026-0967

A flaw was found in libssh. A remote attacker, by controlling client configuration files or knownhosts files, could craft specific hostnames that when processed by the matchpattern function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion,...

5.5CVSS5.9AI score0.00223EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 8:6 p.m.•3 views

CVE-2026-0968

A flaw was found in libssh in which a malicious SFTP SSH File Transfer Protocol server can exploit this by sending a malformed 'longname' field within an SSHFXPNAME message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can...

3.1CVSS5.9AI score0.00442EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 8:6 p.m.•3 views

CVE-2026-0966

A flaw was found in libssh. The API function sshgethexa is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI Generic Security Service Application Program Interface authentication if the server's logging verbosity is se...

8.2CVSS6.3AI score0.00582EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 8:6 p.m.•1 views

CVE-2026-0964

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue...

6.3CVSS6.9AI score0.00408EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 8:5 p.m.•3 views

CVE-2026-33375

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user Viewer to bypass API restrictions and trigger a catastrophic Out-Of-Memory OOM memory exhaustion, crashing the host container...

6.5CVSS5.9AI score0.00434EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 8:1 p.m.•3 views

CVE-2026-2100

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the CDeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potential...

7.5CVSS5.9AI score0.0116EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 8:0 p.m.•2 views

CVE-2026-2239

A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the freadpascalstring function when processing a specially crafted PSD Photoshop Document file. This occurs because the buffer allocated for a Pascal string is not properly null-terminated, leading to an out-of-bounds read whe...

6.5CVSS6AI score0.00485EPSS
Exploits1References3
AlpineLinux
AlpineLinux
•added 2026/03/26 8:0 p.m.•7 views

CVE-2026-2271

A flaw was found in GIMP's PSP Paint Shop Pro file parser. A remote attacker could exploit an integer overflow vulnerability in the readcreatorblock function by providing a specially crafted PSP image file. This vulnerability occurs when a 32-bit length value from the file is used for memory...

5.5CVSS7.1AI score0.00494EPSS
Exploits1References3
AlpineLinux
AlpineLinux
•added 2026/03/26 7:57 p.m.•3 views

CVE-2026-33536

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds...

5.1CVSS6.1AI score0.00128EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 7:52 p.m.•3 views

CVE-2026-33535

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 display interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue...

5.5CVSS5.9AI score0.00141EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/03/26 5:38 p.m.•4 views

CVE-2026-33504

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens ar...

7.2CVSS6.6AI score0.00349EPSS
Exploits0References1
Total number of security vulnerabilities13033