907757 matches found
GHSA-7553-JR98-VX47 libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched its vendored copy of libxml2 in order to prevent this issue from affecting nokogiri...
CVE-2020-7059
When using fgetss function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash...
DLA-2085-1 zlib - security update
Bulletin has no description...
DLA-2077-1 tomcat7 - security update
Bulletin has no description...
CVE-2019-18282
The flowdissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash instead of siphash is used. The hashrn...
DLA-2023-1 openjdk-7 - security update
Bulletin has no description...
RLSA-2019:3735 Critical: php:7.2 security update
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: php: underflow in envpathinfo in fpmmain.c CVE-2019-11043 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to...
DLA-1884-1 linux - security update
Bulletin has no description...
DSA-4484-1 linux - security update
Bulletin has no description...
ALSA-2019:1529 Important: pki-deps:10.6 security update
The Public Key Infrastructure PKI Deps module contains fundamental packages required as dependencies for the pki-core module by AlmaLinux Certificate System. Security Fixes: tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up CVE-2018-8037 tomcat: Insecure...
DLA-1781-1 qemu - security update
Bulletin has no description...
DLA-1728-1 openssh - security update
Bulletin has no description...
DLA-1633-1 sqlite3 - security update
Bulletin has no description...
CVE-2018-15473
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c...
DSA-4156-1 drupal7 - security update
Bulletin has no description...
GHSA-4936-RJ25-6WM6 nori contains Improper Input Validation
The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption involving...
DSA-3992-1 curl - security update
Bulletin has no description...
DLA-849-1 linux - security update
Bulletin has no description...
DSA-3791-1 linux - security update
Bulletin has no description...
CVE-2016-10045
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOT...
DSA-3688-1 nss - security update
Bulletin has no description...
DSA-3597-1 expat - security update
Bulletin has no description...
DSA-3486-1 chromium-browser - security update
Bulletin has no description...
DSA-3388-1 ntp - security update
Bulletin has no description...
DSA-3323-1 icu - security update
Bulletin has no description...
DSA-3318-1 expat - security update
Bulletin has no description...
DSA-3300-1 iceweasel - security update
Bulletin has no description...
DLA-177-1 openssl - security update
Bulletin has no description...
DSA-3074-1 php5 - security update
Bulletin has no description...
DLA-63-1 bash - security update
Bulletin has no description...
DLA-0008-1 openssl - security update
Bulletin has no description...
DSA-2733-1 otrs2 - SQL injection
Bulletin has no description...
DSA-2626-1 lighttpd - several issues
Bulletin has no description...
DSA-2154-1 exim4 - privilege escalation
Bulletin has no description...
DSA-1872-1 fai-kernels linux-2.6 user-mode-linux - several vulnerabilities
Bulletin has no description...
DSA-1656-1 cupsys - several vulnerabilities
Bulletin has no description...
DSA-1506-1 iceape - several vulnerabilities
Bulletin has no description...
DSA-1300-1 iceape
Bulletin has no description...
DSA-1184-2 kernel-source-2.6.8 - several vulnerabilities
Bulletin has no description...
DSA-1171 ethereal - several
Bulletin has no description...
DSA-1082-1 kernel-source-2.4.17 - several vulnerabilities
Bulletin has no description...
DSA-1067-1 kernel-source-2.4.16 - several
Bulletin has no description...
OSV-2026-823 Heap-buffer-overflow in ihevcd_fmt_conv_422sp_to_420p
OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=517027631 Crash type: Heap-buffer-overflow WRITE 1 Crash state: ihevcdfmtconv422spto420p ihevcdfmtconv ihevcddecode...
BIT-TOMCAT-2022-25762 Response mix-up with WebSocket concurrent send and close
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling...
MAL-2025-192349 Malicious code in qt-main (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 bd1f92a69928dc8fa2a6a50cfd596c34802bc68fc28dd5dd8508fc24344bbec9 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
GHSA-7MV8-J34Q-VP7Q @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the...
GHSA-FVFQ-Q238-J7J3 WSO2 Carbon Mediation vulnerable to XML External Entity (XXE) attacks
An XML External Entity XXE vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote,...
GHSA-C2JP-C369-7PVX FastMCP Auth Integration Allows for Confused Deputy Account Takeover
Summary FastMCP documentation covers the scenario where it is possible to use Entra ID or other providers for authentication. In this context, because Entra ID does not support Dynamic Client Registration DCR, the FastMCP-hosted MCP server is acting as the authorization provider, as declared in t...
ASB-A-383080440
In loadDrawableForCookie of ResourcesImpl.java, there is a possible way to access task snapshots of other apps due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
ASB-A-386802855
In multiple locations, there is a possible way to persistently DoS the device due to a missing length check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...