6384 matches found
K000162204: Linux kernel vulnerability CVE-2025-37789
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix nested key length validation in the set action It's not safe to access nlalenovskey if the data is smaller than the netlink header. Check that the attribute is OK first...
K000162203: Spring Cloud Config vulnerability CVE-2026-40981
Security Advisory Description When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive;...
K000162184: Spring Kafka vulnerability CVE-2026-41727
Security Advisory Description Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retrytopic-attempts header to supply an out-of-range attempt count and cause the retry topic...
K000162183: Spring web services vulnerability CVE-2026-40996
Security Advisory Description Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators...
K000162182: Spring Expression Language (SpEL) vulnerability CVE-2026-41850
Security Advisory Description Applications that evaluate user-supplied Spring Expression Language SpEL expressions are vulnerable to an Algorithmic Denial of Service DoS. By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading...
K000162181: Spring Framework vulnerability CVE-2026-41841
Security Advisory Description Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. CVE-2026-41841 Impact Ther...
K000162180: Spring WebFlux vulnerability CVE-2026-41840
Security Advisory Description Spring WebFlux applications are vulnerable to Denial of Service DoS attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48. CVE-2026-41840 Impact There is n...
K000162179: Spring for GraphQL vulnerability CVE-2026-41700
Security Advisory Description Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with...
K000162177: Spring Framework vulnerability CVE-2026-41699
Security Advisory Description Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated Connection field and...
K000162176: Spring authorization server vulnerability CVE-2026-22752
Security Advisory Description The cve record for the cve id does not exist. CVE-2026-22752 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for potential vulnerability, and...
K000162161: Spring Framework vulnerability CVE-2026-41839
Security Advisory Description A WebFlux application with a compromised subdomain for example, compromised via cross-site scripting XSS is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7;...
K000162157: Apache Tomcat vulnerability CVE-2026-43513 and CVE-2026-43515
Security Advisory Description CVE-2026-43513 Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0....
K000162156: Spring Framework vulnerability CVE-2026-41844
Security Advisory Description A Spring MVC or Spring WebFlux application which configures a mapping for "/" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions:...
K000162153: Spring Web Services vulnerability CVE-2026-40994
Security Advisory Description Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules...
K000162136: Node.js vulnerabilities CVE-2026-48615 and CVE-2026-48935
Security Advisory Description CVE-2026-48615 A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERRPROXYTUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or...
K000162135: Apache Flink vulnerability CVE-2026-35194
Security Advisory Description Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON...
K000162132: Linux kernel TLS vulnerability CVE-2025-39946
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the...
K000162130: Spring Framework vulnerability CVE-2026-41851
Security Advisory Description Applications which accept user-supplied Spring Expression Language SpEL expressions may be vulnerable to a Denial of Service DoS attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7;...
K000162120: Jinja2 vulnerability CVE-2024-56326 and CVE-2016-10745
Security Advisory Description CVE-2024-56326 Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the...
K000162117: Linux kernel vulnerability CVE-2023-53552
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915requests may be trapped by userspace inside a syncfile or dmabuf dma-resv and held indefinitely across...
K000162085: Spring Data MongoDB vulnerability CVE-2026-41717
Security Advisory Description Spring Data MongoDB contains a SpEL Spring Expression Language expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions...
K000162084: Spring Web Services vulnerability CVE-2026-41000
Security Advisory Description Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-u...
K000162083: Linux kernel vulnerability CVE-2025-39925
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: can: j1939: implement NETDEVUNREGISTER notification handler syzbot is reporting unregisternetdevice: waiting for vcan0 to become free. Usage count = 2 problem, for j1939 protocol did not have...
K000162049: Go vulnerability CVE-2025-58181
Security Advisory Description SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. CVE-2025-58181 Impact An attacker may be able to cause an increase in resource utilizatio...
K000162045: Go vulnerability CVE-2025-47914
Security Advisory Description SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. CVE-2025-47914 Impact An attacker may be able to cause a denial-of-service DoS...
K000162071: Python vulnerability CVE-2025-11468
Security Advisory Description When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. CVE-2025-11468...
K000162065: Spring Framework for Apache Kafka vulnerability CVE-2026-41726
Security Advisory Description When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions:...
K000161886: NPM CLI vulnerabilities CVE-2019-16775, CVE-2019-16776, and CVE-2019-16777
Security Advisory Description CVE-2019-16775 Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenodemodules folder through the bin field upon installation. A properly constructed entry in the...
K000162058: Apache Tomcat vulnerabilities CVE-2026-41293, CVE-2026-43512, CVE-2026-42498, and CVE-2026-41284
Security Advisory Description CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions ma...
K000162057: MySQL vulnerability CVE-2021-2471
Security Advisory Description Vulnerability in the MySQL Connectors product of Oracle MySQL component: Connector/J. Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromis...
K000162035: Golang vulnerability CVE-2025-58185
Security Advisory Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. CVE-2025-58185 Impact A malicious actor can craft a big empty DER payload, resulting in an unnecessary large allocation of memories. This can be a way to caus...
K000162037: Golang vulnerability CVE-2025-58186
Security Advisory Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory...
K000162053: Node.js vulnerability CVE-2025-55131
Security Advisory Description A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like...
K000162052: Apache Tomcat vulnerability CVE-2026-43514
Security Advisory Description Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through...
K000162041: Spring Framework vulnerabilities CVE-2026-41843 and CVE-2026-41846
Security Advisory Description CVE-2026-41843 Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. CVE-2026-41846 Spri...
K000162034: Node.js vulnerability CVE-2026-48617
Security Advisory Description A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported...
K000162031: Node.js vulnerability CVE-2026-21713
Security Advisory Description A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurement...
K000162026: Multiple Go vulnerabilities
Security Advisory Description CVE-2026-33811 When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-39820 Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU...
K000162017: Apache Artemis vulnerability CVE-2026-27446
Security Advisory Description Missing Authentication for Critical Function CWE-306 vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an...
K000162011: GNU inetutils vulnerability CVE-2026-32746
Security Advisory Description telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC Set Local Characters suboption handler because addslc does not check whether the buffer is full. CVE-2026-32746 Impact There is no impact; F5 products are not affected by this...
K000162008: Apache HTTP Server vulnerability CVE-2026-34059
Security Advisory Description Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-34059 Impact There is no impact; F5 products are not affected by this...
K000162007: Apache HTTP Server vulnerability CVE-2026-34032
Security Advisory Description Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-34032 Impact There is no impact; F5 products...
K000162006: Apache HTTP Server vulnerability CVE-2026-33857
Security Advisory Description Out-of-bounds Read vulnerability in modproxyajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-33857 Impact There is no impact; F5 products are not...
K000162005: Apache HTTP Server vulnerability CVE-2026-33007
Security Advisory Description A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this...
K000162004: Apache HTTP Server vulnerability CVE-2026-33006
Security Advisory Description A timing attack against modauthdigest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. CVE-2026-33006 Impact There is no impact; F5 products are not...
K000161990: Go vulnerability CVE-2025-61723
Security Advisory Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. CVE-2025-61723 Impact An attacker may be able to cause an increase in resource utilization, which...
K000161993: Golang vulnerability CVE-2025-47912
Security Advisory Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IP...
K000161987: Golang vulnerability CVE-2025-47907
Security Advisory Description Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may...
K000161988: Go vulnerability CVE-2025-58183
Security Advisory Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into...
K000161984: Go vulnerability CVE-2025-47906
Security Advisory Description If the PATH environment variable contains paths which are executables rather than just directories, passing certain strings to LookPath "", ".", and "..", can result in the binaries listed in the PATH being unexpectedly returned. CVE-2025-47906 Impact An attacker may...