908024 matches found
DSA-3433-1 samba - security update
Bulletin has no description...
DLA-27-1 file - security update
Bulletin has no description...
DSA-2929-1 ruby-actionpack-3.2 - security update
Bulletin has no description...
DSA-2632-1 linux-2.6 - several vulnerabilities
Bulletin has no description...
DSA-2336-1 ffmpeg - several
Bulletin has no description...
DSA-2264-1 linux-2.6 - several issues
Bulletin has no description...
DSA-2195-1 php5 - several
Bulletin has no description...
DSA-1861-1 libxml - several issues
Bulletin has no description...
DSA-1704-1 xulrunner - several vulnerabilities
Bulletin has no description...
DSA-1603-1 bind9 - cache poisoning
Bulletin has no description...
DSA-1592-1 linux-2.6 - overflow conditions
Bulletin has no description...
DSA-1392-1 xulrunner - several vulnerabilities
Bulletin has no description...
DSA-921-1 kernel-source-2.4.27 - several
Bulletin has no description...
DSA-607-1 xfree86 - several
Bulletin has no description...
DSA-486 cvs - several vulnerabilities
Bulletin has no description...
GHSA-CQ87-8R7H-962V SwiftNIO: CRLF Injection in outbound HTTP request URI via NIOHTTPRequestHeadersValidator
Programs using swift-nio is vulnerable to HTTP request smuggling and HTTP response splitting attacks, caused by insufficient validation of outbound HTTP/1.1 request and response start line components. This vulnerability affects all swift-nio versions from 2.0.0 to 2.99.0. It is fixed in 2.100.0 a...
GHSA-W7JW-789Q-3M8P shell-quote quote() does not escape newlines in object .op values
Summary shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore...
DEBIAN-CVE-2026-31488
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 "drm/amd/display: Add dsc pre-validation in atomic check", amdgpu resets the CRTC state modechanged flag to false when...
MAL-2025-192349 Malicious code in qt-main (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 bd1f92a69928dc8fa2a6a50cfd596c34802bc68fc28dd5dd8508fc24344bbec9 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
CVE-2025-53536 Roo Code allows Potential Remote Code Execution via .vscode/settings.json
Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with...
DLA-4139-1 imagemagick - security update
Bulletin has no description...
CVE-2025-22126 md: fix mddev uaf while iterating all_mddevs list
In the Linux kernel, the following vulnerability has been resolved: md: fix mddev uaf while iterating allmddevs list While iterating allmddevs list from mdnotifyreboot and mdexit, listforeachentrysafe is used, and this can race with deletint the next mddev, causing UAF: t1: spinlock...
GO-2025-3542 LocalAI Cross-Site Scripting (XSS) vulnerability in its search functionality in github.com/mudler/LocalAI
LocalAI Cross-Site Scripting XSS vulnerability in its search functionality in github.com/mudler/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
RHSA-2020:4847 Red Hat Security Advisory: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
Bulletin has no description...
RHSA-2024:8076 Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.19 Security update
Bulletin has no description...
RHSA-2024:5832 Red Hat Security Advisory: httpd security update
Bulletin has no description...
ALSA-2024:6969 Moderate: container-tools:rhel8 security update
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: net/http: memory exhaustion in Request.ParseMultipartForm CVE-2023-45290 golang: crypto/x509: Verify panics on certificates with an unknown public key algorith...
RHSA-2020:0962 Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3 security update
Bulletin has no description...
RHSA-2008:0524 Red Hat Security Advisory: Red Hat Network Satellite Server security update
Bulletin has no description...
RHSA-2024:0554 Red Hat Security Advisory: kpatch-patch security update
Bulletin has no description...
GO-2023-1656 Answer vulnerable to Stored Cross-site Scripting in github.com/answerdev/answer
Answer vulnerable to Stored Cross-site Scripting in github.com/answerdev/answer...
GO-2023-1615 Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer
Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer...
GO-2024-3036 cortex establishes TLS connections with `InsecureSkipVerify` set to `true` in github.com/cortexproject/cortex
cortex establishes TLS connections with InsecureSkipVerify set to true in github.com/cortexproject/cortex...
BELL-CVE-2024-39894
Bulletin has no description...
BIT-APACHE-2024-38474 Apache HTTP Server weakness with encoded question marks in backreferences
Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to...
ASB-A-316153291
In multiple functions of ZygoteProcess.java, there is a possible way to achieve code execution as any app via WRITESECURESETTINGS due to unsafe deserialization. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation...
ALSA-2024:3166 Moderate: openssh security update
OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: openssh: scp allows command injection when using backtick characters in the destination...
GHSA-3999-5FFV-WP2R Yamux Memory Exhaustion Vulnerability via Active::pending_frames property
Summary Attack scenario The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this frame gets appended to this vector. This can be remotely triggered in a numbe...
ALSA-2024:2135 Moderate: qemu-kvm security update
Kernel-based Virtual Machine KVM is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fixes: QEMU: e1000e: heap use-after-free in e1000ewritepackettoguest CVE-2023-3019...
ALSA-2024:2447 Low: openssl and openssl-fips-provider security update
OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength general-purpose cryptography library. Security Fixes: openssl: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entri...
CVE-2024-24795
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue...
GHSA-5JPM-X58V-624V Netty's HttpPostRequestDecoder can OOM
Summary The HttpPostRequestDecoder can be tricked to accumulate data. I have spotted currently two attack vectors Details 1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consistin...
ALSA-2024:1444 Important: nodejs:16 security update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks CVE-2024-22019 nodejs: HTTP/2: Multiple HTTP/2 enabled...
ALSA-2024:1334 Important: dnsmasq security update
The dnsmasq packages contain Dnsmasq, a lightweight DNS Domain Name Server forwarder and DHCP Dynamic Host Configuration Protocol server. Security Fixes: dnsmasq: bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387 dnsmasq: bind9: Preparing an NSEC3 closest encloser proof...
BIT-GITLAB-2021-22176
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests...
BIT-PYTHON-2020-8315
In Python CPython 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected...
BIT-PYTHON-2022-48565
An XML External Entity XXE issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities...
BIT-ELASTICSEARCH-2023-31417 Elasticsearch Insertion of sensitive information in audit logs
Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords...
RLSA-2024:0627 Moderate: gnutls security update
The gnutls packages provide the GNU Transport Layer Security GnuTLS library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. Security Fixes: gnutls: incomplete fix for CVE-2023-5981 CVE-2024-0553 For more details about the security issues, including the impact,...
GHSA-99VC-XW8J-PHJM Ghost has possible Cross-site Scripting issue
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view th...