Redhat
Monthly
The resolveSafeChildPath function in Backstage's backend-plugin-api prior to version 0.1.17 improperly validates symlink chains and dangling symlinks, allowing authenticated attackers to bypass path traversal protections used by Scaffolder actions and other backend components. An attacker with low privileges could exploit this to access files outside the intended directory boundaries by chaining intermediate symlinks or creating symlinks pointing to non-existent paths that are later materialized during file operations. This affects Backstage installations relying on the vulnerable path validation function for security isolation.
Backstage Scaffolder actions and archive extraction utilities are vulnerable to symlink-based path traversal attacks, allowing authenticated users with template creation privileges to read sensitive files, delete arbitrary files outside the workspace, or write malicious files via crafted symlinks in tar/zip archives. This affects deployments where users can create or execute Scaffolder templates, with no patch currently available for versions prior to @backstage/backend-defaults 0.12.2.
Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. A patch is available in version 1.4.1 and later.
Seroval is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 7.3).
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
External Secrets Operator versions 0.20.2 through 1.1.x contain an authorization bypass in the getSecretKey template function that allows authenticated users to retrieve secrets across namespace boundaries, circumventing intended access controls. An attacker with local Kubernetes access could exploit this to exfiltrate sensitive data managed by the operator outside their authorized namespace. The vulnerability has been patched in version 1.2.0 where the function was completely removed.
vLLM is an inference and serving engine for large language models (LLMs). [CVSS 8.8 HIGH]
Lodash versions up to 4.17.22 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 5.3).
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. [CVSS 5.3 MEDIUM]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 versions up to 9.18.43 is affected by reachable assertion (CVSS 7.5).
A null pointer dereference in the Linux kernel's socket error queue handling causes a denial of service when CONFIG_HARDENED_USERCOPY is enabled and applications attempt to retrieve error messages via recvmsg(). Local attackers with user privileges can trigger a kernel panic by reading from the socket error queue on affected systems running vulnerable kernel versions.
Apache Solr 8.6 through 9.10.0 in standalone mode fails to properly validate the "create core" API parameters, allowing authenticated users to bypass the allowPaths security restriction and access unauthorized filesystem locations. On Windows systems configured with UNC path support, this vulnerability can lead to NTLM credential hash disclosure. Affected deployments using the allowPaths setting are at risk of unauthorized core creation and information exposure.
Unauthorized API access in Apache Solr 5.3.0 through 9.10.0 allows unauthenticated attackers to bypass the RuleBasedAuthorizationPlugin due to insufficient input validation in permission rule enforcement. This vulnerability affects only deployments using multiple roles with specific predefined permissions like config-read, config-edit, schema-read, metrics-read, or security-read without the "all" permission rule defined. Successful exploitation grants attackers unauthorized access to sensitive Solr APIs, potentially exposing configuration and security data.
A null pointer dereference in the Linux kernel's QFQ packet scheduler (net/sched/sch_qfq) allows local attackers with user privileges to cause a denial of service by deactivating an inactive aggregate during qdisc reset operations. The vulnerability occurs when multiple QFQ qdisc instances share a leaf qdisc, causing incorrect state assumptions during cleanup. A patch is available to resolve this issue.
A flaw was found in the keycloak-services component of Keycloak. [CVSS 6.5 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 6.5).
Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Remote denial of service in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated attackers to trigger application hangs or crashes via network-accessible protocols. Multiple Java versions including JDK 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1 are affected through a flaw in the Security component. No patch is currently available for this high-severity vulnerability.
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Mysql Cluster contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 6.1).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 7.4).
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 5.3).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 4.8).
Node.js TLS servers using PSK or ALPN callbacks are vulnerable to denial of service when these callbacks throw unhandled synchronous exceptions during the TLS handshake. Remote attackers can exploit this by sending specially crafted TLS handshake requests to trigger resource exhaustion or process crashes, either through immediate termination or silent file descriptor leaks. No patch is currently available for this vulnerability.
Node.js has a CVSS 10.0 permission model bypass that allows Unix Domain Socket connections to completely bypass network restrictions when --allow-net is configured.
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. [CVSS 7.5 HIGH]
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. [CVSS 5.3 MEDIUM]
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. [CVSS 7.1 HIGH]
Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.
PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.
NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. [CVSS 7.3 HIGH]
NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. [CVSS 7.3 HIGH]
NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. [CVSS 7.3 HIGH]
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. [CVSS 7.5 HIGH]
Keycloak's OpenID Connect Dynamic Client Registration feature fails to validate jwks_uri values when clients authenticate via private_key_jwt, allowing attackers to redirect the server to arbitrary network endpoints. This enables reconnaissance and information disclosure attacks against internal services and cloud metadata endpoints accessible from the Keycloak server. No patch is currently available for this MEDIUM severity vulnerability.
dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. [CVSS 5.5 MEDIUM]
Heap corruption in Google Chrome's ANGLE graphics library prior to version 144.0.7559.59 can be triggered through a crafted HTML page, enabling remote attackers to execute arbitrary code without user interaction beyond visiting a malicious website. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, though no patch is currently available. With a CVSS score of 8.8 and minimal exploit complexity, this presents a significant risk to the browser's security model.
Chrome Split View prior to 144.0.7559.59 has a UI spoofing vulnerability that allows remote attackers to display misleading content in the split view interface.
Google Chrome prior to 144.0.7559.59 has insufficient policy enforcement in Network that allows attackers who obtained a network position to access sensitive data.
Chrome versions up to 144.0.7559.59 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).
Out-of-bounds memory read in Chrome's V8 JavaScript engine prior to version 144.0.7559.59 enables remote attackers to leak sensitive information through maliciously crafted web pages requiring only user interaction. The vulnerability affects all Chrome users and exposes high-impact confidentiality and integrity risks with no available patch at this time.
Object corruption in Google Chrome's V8 engine prior to version 144.0.7559.59 can be triggered by remote attackers through malicious HTML pages, potentially leading to complete system compromise including unauthorized access, data modification, and denial of service. The vulnerability requires user interaction to exploit but does not require authentication or special privileges. No patch is currently available for affected users.
Out-of-bounds memory access in Chrome's V8 engine (versions prior to 144.0.7559.59) enables remote attackers to corrupt objects and potentially achieve code execution by delivering a malicious HTML page to users. The vulnerability requires user interaction but poses significant risk due to its high CVSS score (8.8) and impact on confidentiality, integrity, and availability. No patch is currently available.
Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization on case-insensitive filesystems like macOS APFS, where the path reservation system fails to serialize operations on colliding paths. Public exploit code exists for this vulnerability, enabling concurrent processing that bypasses internal safeguards. Node.js users and applications depending on vulnerable tar versions should update immediately, as attackers can leverage this to manipulate file operations during archive extraction.
Jaraco.context versions 5.2.0 through 6.0.x contain a path traversal vulnerability in the tarball() function that allows attackers to extract files outside the intended directory when processing malicious tar archives, with public exploit code available. The vulnerability exploits insufficient path validation that fails to properly filter directory traversal sequences like `../`, potentially enabling unauthorized file extraction and nested tarball attacks. This affects all users processing untrusted tar archives with the vulnerable versions.
ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 8.1 HIGH]
Imagemagick versions up to 7.1.2-13 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).
ImageMagick versions prior to 7.1.2-13 fail to properly initialize buffer elements in the BilateralBlurImage method, leading to invalid pointer dereference and potential denial of service when memory allocation fails. An attacker can exploit this through network vectors to crash affected applications or trigger undefined behavior with high complexity requirements. A patch is available in version 7.1.2-13 and later.
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in offscreen bitmap deletion that leaves dangling pointers, exploitable by malicious RDP servers for client-side code execution.
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in xf_Pointer_New where cursor data is freed prematurely, allowing malicious RDP servers to execute code on clients.
ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.
FreeRDP versions before 3.21.0 contain a buffer overflow in FastGlyph parsing where a malicious Remote Desktop server can crash the client by sending specially crafted glyph data that bypasses length validation. A remote attacker can exploit this vulnerability without authentication to cause denial of service, and public exploit code exists. The vulnerability affects FreeRDP clients connecting to untrusted or compromised RDP servers, with no patch currently available for most deployments.
FreeRDP prior to 3.21.0 contains a client-side heap buffer overflow in session data processing, the fifth in a series of seven critical heap overflows fixed in version 3.21.0.
FreeRDP prior to 3.21.0 has another client-side heap buffer overflow that can be exploited by malicious RDP servers to achieve remote code execution on connected clients.
OpenStack keystonemiddleware 10.5 through 10.9 has an authentication spoofing vulnerability (CVSS 9.9) allowing attackers to bypass Keystone token validation and access any OpenStack service as any user.
FreeRDP prior to 3.21.0 has a client-side heap buffer overflow that can be triggered by a malicious RDP server during session data processing, enabling remote code execution.
FreeRDP prior to 3.21.0 has a heap buffer overflow in ClearCodec glyph data processing that allows a malicious RDP server to execute arbitrary code on connected clients.
FreeRDP prior to 3.21.0 has a heap buffer overflow in bitmap decompression (planar codec) that can be triggered by a malicious RDP server to execute code on the client.
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-va...
Heap-based buffer overflow in QuickJS up to version 0.11.0 within the js_typed_array_constructor_ta function allows remote attackers to corrupt memory and potentially achieve code execution with user interaction. Public exploit code exists for this vulnerability, increasing practical attack risk. A patch is available and should be applied immediately.
Use-after-free in QuickJS up to version 0.11.0 within the Atomics Ops Handler allows remote attackers to trigger memory corruption without authentication. Public exploit code exists for this vulnerability, enabling potential information disclosure or denial of service. A patch is available and should be applied immediately.
A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. [CVSS 5.3 MEDIUM]
A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. [CVSS 5.3 MEDIUM]
A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. [CVSS 5.3 MEDIUM]
A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. [CVSS 5.3 MEDIUM]
A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. [CVSS 5.3 MEDIUM]
node-tar versions 7.5.2 and earlier fail to properly sanitize link paths in tar archives when the default secure mode is enabled, allowing attackers to extract files outside the intended directory through malicious hardlinks and symlinks. Public exploit code exists for this vulnerability, which affects Node.js applications and related products including D-Link and Tar utilities. An attacker can overwrite arbitrary files or conduct symlink poisoning attacks on affected systems.
CakePHP versions prior to 5.2.12 and 5.3.1 contain a stored cross-site scripting vulnerability in the PaginatorHelper::limitControl() method that allows unauthenticated attackers to inject malicious scripts through query string parameters. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires user interaction to trigger but affects all installations using the vulnerable PaginatorHelper component.
pyasn1 is a generic ASN.1 library for Python. versions up to 0.6.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. [CVSS 8.1 HIGH]
Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. [CVSS 7.2 HIGH]
In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. [CVSS 6.7 MEDIUM]
In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. [CVSS 7.1 HIGH]
PlantUML versions before 1.2026.0 fail to properly sanitize interactive attributes in GraphViz diagrams, allowing attackers to inject malicious JavaScript into SVG output through crafted diagram files. Applications that render these SVGs are vulnerable to arbitrary script execution within the user's browser context. A patch is available to address this stored XSS vulnerability.
Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.
Stack memory disclosure in GNU C Library versions 2.0-2.42 allows unauthenticated remote attackers to leak sensitive stack contents via crafted DNS queries when getnetbyaddr functions are configured to use the DNS backend for network lookups. This vulnerability affects systems running vulnerable Glibc and DNS resolver combinations, with no available patch currently released.
Improper URI path normalization in Vert.x Web's static file handler allows remote attackers to manipulate the cache and deny access to static files through specially crafted request URIs containing encoded path traversal sequences. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction to cause denial of service by returning HTTP 404 responses for normally accessible files. Public exploit code exists and patches are available.
HTTP request smuggling in H3 framework versions before 1.15.5 allows remote attackers to bypass security controls by exploiting improper case-sensitive validation of the Transfer-Encoding header. The vulnerability enables attackers to inject malicious requests that diverge between client and server parsing, potentially leading to cache poisoning, session hijacking, or other attacks. Public exploit code exists for this vulnerability.
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. [CVSS 6.1 MEDIUM]
Denial of service in Svelte devalue library versions 5.1.0 through 5.6.1 allows remote attackers to exhaust CPU and memory resources by supplying malformed input to the parse function, affecting applications that process untrusted serialized data. The vulnerability stems from insufficient validation of ArrayBuffer inputs during deserialization. Applications should upgrade to version 5.6.2 or later.
The resolveSafeChildPath function in Backstage's backend-plugin-api prior to version 0.1.17 improperly validates symlink chains and dangling symlinks, allowing authenticated attackers to bypass path traversal protections used by Scaffolder actions and other backend components. An attacker with low privileges could exploit this to access files outside the intended directory boundaries by chaining intermediate symlinks or creating symlinks pointing to non-existent paths that are later materialized during file operations. This affects Backstage installations relying on the vulnerable path validation function for security isolation.
Backstage Scaffolder actions and archive extraction utilities are vulnerable to symlink-based path traversal attacks, allowing authenticated users with template creation privileges to read sensitive files, delete arbitrary files outside the workspace, or write malicious files via crafted symlinks in tar/zip archives. This affects deployments where users can create or execute Scaffolder templates, with no patch currently available for versions prior to @backstage/backend-defaults 0.12.2.
Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. A patch is available in version 1.4.1 and later.
Seroval is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 7.3).
Stored XSS in Argo Workflows artifact directory listing (versions prior to 3.6.17 and 3.7.8) allows workflow authors to inject malicious JavaScript that executes in other users' browsers under the Argo Server origin. An attacker can leverage the victim's session to perform API actions and access resources with their privileges. Public exploit code exists for this vulnerability; patched versions are available.
External Secrets Operator versions 0.20.2 through 1.1.x contain an authorization bypass in the getSecretKey template function that allows authenticated users to retrieve secrets across namespace boundaries, circumventing intended access controls. An attacker with local Kubernetes access could exploit this to exfiltrate sensitive data managed by the operator outside their authorized namespace. The vulnerability has been patched in version 1.2.0 where the function was completely removed.
vLLM is an inference and serving engine for large language models (LLMs). [CVSS 8.8 HIGH]
Lodash versions up to 4.17.22 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 5.3).
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. [CVSS 5.3 MEDIUM]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 versions up to 9.18.43 is affected by reachable assertion (CVSS 7.5).
A null pointer dereference in the Linux kernel's socket error queue handling causes a denial of service when CONFIG_HARDENED_USERCOPY is enabled and applications attempt to retrieve error messages via recvmsg(). Local attackers with user privileges can trigger a kernel panic by reading from the socket error queue on affected systems running vulnerable kernel versions.
Apache Solr 8.6 through 9.10.0 in standalone mode fails to properly validate the "create core" API parameters, allowing authenticated users to bypass the allowPaths security restriction and access unauthorized filesystem locations. On Windows systems configured with UNC path support, this vulnerability can lead to NTLM credential hash disclosure. Affected deployments using the allowPaths setting are at risk of unauthorized core creation and information exposure.
Unauthorized API access in Apache Solr 5.3.0 through 9.10.0 allows unauthenticated attackers to bypass the RuleBasedAuthorizationPlugin due to insufficient input validation in permission rule enforcement. This vulnerability affects only deployments using multiple roles with specific predefined permissions like config-read, config-edit, schema-read, metrics-read, or security-read without the "all" permission rule defined. Successful exploitation grants attackers unauthorized access to sensitive Solr APIs, potentially exposing configuration and security data.
A null pointer dereference in the Linux kernel's QFQ packet scheduler (net/sched/sch_qfq) allows local attackers with user privileges to cause a denial of service by deactivating an inactive aggregate during qdisc reset operations. The vulnerability occurs when multiple QFQ qdisc instances share a leaf qdisc, causing incorrect state assumptions during cleanup. A patch is available to resolve this issue.
A flaw was found in the keycloak-services component of Keycloak. [CVSS 6.5 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 6.5).
Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Remote denial of service in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated attackers to trigger application hangs or crashes via network-accessible protocols. Multiple Java versions including JDK 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1 are affected through a flaw in the Security component. No patch is currently available for this high-severity vulnerability.
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Mysql Cluster contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 6.1).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 7.4).
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 5.3).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 4.8).
Node.js TLS servers using PSK or ALPN callbacks are vulnerable to denial of service when these callbacks throw unhandled synchronous exceptions during the TLS handshake. Remote attackers can exploit this by sending specially crafted TLS handshake requests to trigger resource exhaustion or process crashes, either through immediate termination or silent file descriptor leaks. No patch is currently available for this vulnerability.
Node.js has a CVSS 10.0 permission model bypass that allows Unix Domain Socket connections to completely bypass network restrictions when --allow-net is configured.
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. [CVSS 7.5 HIGH]
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. [CVSS 5.3 MEDIUM]
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. [CVSS 7.1 HIGH]
Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.
PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.
NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. [CVSS 7.3 HIGH]
NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. [CVSS 7.3 HIGH]
NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. [CVSS 7.3 HIGH]
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. [CVSS 7.5 HIGH]
Keycloak's OpenID Connect Dynamic Client Registration feature fails to validate jwks_uri values when clients authenticate via private_key_jwt, allowing attackers to redirect the server to arbitrary network endpoints. This enables reconnaissance and information disclosure attacks against internal services and cloud metadata endpoints accessible from the Keycloak server. No patch is currently available for this MEDIUM severity vulnerability.
dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. [CVSS 5.5 MEDIUM]
Heap corruption in Google Chrome's ANGLE graphics library prior to version 144.0.7559.59 can be triggered through a crafted HTML page, enabling remote attackers to execute arbitrary code without user interaction beyond visiting a malicious website. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, though no patch is currently available. With a CVSS score of 8.8 and minimal exploit complexity, this presents a significant risk to the browser's security model.
Chrome Split View prior to 144.0.7559.59 has a UI spoofing vulnerability that allows remote attackers to display misleading content in the split view interface.
Google Chrome prior to 144.0.7559.59 has insufficient policy enforcement in Network that allows attackers who obtained a network position to access sensitive data.
Chrome versions up to 144.0.7559.59 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.4).
Out-of-bounds memory read in Chrome's V8 JavaScript engine prior to version 144.0.7559.59 enables remote attackers to leak sensitive information through maliciously crafted web pages requiring only user interaction. The vulnerability affects all Chrome users and exposes high-impact confidentiality and integrity risks with no available patch at this time.
Object corruption in Google Chrome's V8 engine prior to version 144.0.7559.59 can be triggered by remote attackers through malicious HTML pages, potentially leading to complete system compromise including unauthorized access, data modification, and denial of service. The vulnerability requires user interaction to exploit but does not require authentication or special privileges. No patch is currently available for affected users.
Out-of-bounds memory access in Chrome's V8 engine (versions prior to 144.0.7559.59) enables remote attackers to corrupt objects and potentially achieve code execution by delivering a malicious HTML page to users. The vulnerability requires user interaction but poses significant risk due to its high CVSS score (8.8) and impact on confidentiality, integrity, and availability. No patch is currently available.
Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization on case-insensitive filesystems like macOS APFS, where the path reservation system fails to serialize operations on colliding paths. Public exploit code exists for this vulnerability, enabling concurrent processing that bypasses internal safeguards. Node.js users and applications depending on vulnerable tar versions should update immediately, as attackers can leverage this to manipulate file operations during archive extraction.
Jaraco.context versions 5.2.0 through 6.0.x contain a path traversal vulnerability in the tarball() function that allows attackers to extract files outside the intended directory when processing malicious tar archives, with public exploit code available. The vulnerability exploits insufficient path validation that fails to properly filter directory traversal sequences like `../`, potentially enabling unauthorized file extraction and nested tarball attacks. This affects all users processing untrusted tar archives with the vulnerable versions.
ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 8.1 HIGH]
Imagemagick versions up to 7.1.2-13 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).
ImageMagick versions prior to 7.1.2-13 fail to properly initialize buffer elements in the BilateralBlurImage method, leading to invalid pointer dereference and potential denial of service when memory allocation fails. An attacker can exploit this through network vectors to crash affected applications or trigger undefined behavior with high complexity requirements. A patch is available in version 7.1.2-13 and later.
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in offscreen bitmap deletion that leaves dangling pointers, exploitable by malicious RDP servers for client-side code execution.
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in xf_Pointer_New where cursor data is freed prematurely, allowing malicious RDP servers to execute code on clients.
ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.
FreeRDP versions before 3.21.0 contain a buffer overflow in FastGlyph parsing where a malicious Remote Desktop server can crash the client by sending specially crafted glyph data that bypasses length validation. A remote attacker can exploit this vulnerability without authentication to cause denial of service, and public exploit code exists. The vulnerability affects FreeRDP clients connecting to untrusted or compromised RDP servers, with no patch currently available for most deployments.
FreeRDP prior to 3.21.0 contains a client-side heap buffer overflow in session data processing, the fifth in a series of seven critical heap overflows fixed in version 3.21.0.
FreeRDP prior to 3.21.0 has another client-side heap buffer overflow that can be exploited by malicious RDP servers to achieve remote code execution on connected clients.
OpenStack keystonemiddleware 10.5 through 10.9 has an authentication spoofing vulnerability (CVSS 9.9) allowing attackers to bypass Keystone token validation and access any OpenStack service as any user.
FreeRDP prior to 3.21.0 has a client-side heap buffer overflow that can be triggered by a malicious RDP server during session data processing, enabling remote code execution.
FreeRDP prior to 3.21.0 has a heap buffer overflow in ClearCodec glyph data processing that allows a malicious RDP server to execute arbitrary code on connected clients.
FreeRDP prior to 3.21.0 has a heap buffer overflow in bitmap decompression (planar codec) that can be triggered by a malicious RDP server to execute code on the client.
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-va...
Heap-based buffer overflow in QuickJS up to version 0.11.0 within the js_typed_array_constructor_ta function allows remote attackers to corrupt memory and potentially achieve code execution with user interaction. Public exploit code exists for this vulnerability, increasing practical attack risk. A patch is available and should be applied immediately.
Use-after-free in QuickJS up to version 0.11.0 within the Atomics Ops Handler allows remote attackers to trigger memory corruption without authentication. Public exploit code exists for this vulnerability, enabling potential information disclosure or denial of service. A patch is available and should be applied immediately.
A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. [CVSS 5.3 MEDIUM]
A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. [CVSS 5.3 MEDIUM]
A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. [CVSS 5.3 MEDIUM]
A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. [CVSS 5.3 MEDIUM]
A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. [CVSS 5.3 MEDIUM]
node-tar versions 7.5.2 and earlier fail to properly sanitize link paths in tar archives when the default secure mode is enabled, allowing attackers to extract files outside the intended directory through malicious hardlinks and symlinks. Public exploit code exists for this vulnerability, which affects Node.js applications and related products including D-Link and Tar utilities. An attacker can overwrite arbitrary files or conduct symlink poisoning attacks on affected systems.
CakePHP versions prior to 5.2.12 and 5.3.1 contain a stored cross-site scripting vulnerability in the PaginatorHelper::limitControl() method that allows unauthenticated attackers to inject malicious scripts through query string parameters. An attacker can exploit this to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. The vulnerability requires user interaction to trigger but affects all installations using the vulnerable PaginatorHelper component.
pyasn1 is a generic ASN.1 library for Python. versions up to 0.6.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. [CVSS 8.1 HIGH]
Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. [CVSS 7.2 HIGH]
In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. [CVSS 6.7 MEDIUM]
In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. [CVSS 7.1 HIGH]
PlantUML versions before 1.2026.0 fail to properly sanitize interactive attributes in GraphViz diagrams, allowing attackers to inject malicious JavaScript into SVG output through crafted diagram files. Applications that render these SVGs are vulnerable to arbitrary script execution within the user's browser context. A patch is available to address this stored XSS vulnerability.
Denial of service in Traefik versions prior to 2.11.35 and 3.6.7 allows unauthenticated remote attackers to exhaust server resources by establishing incomplete ACME TLS-ALPN connections and leaving them open indefinitely. An attacker can send minimal ClientHello messages with the acme-tls/1 protocol and cease responding, causing goroutines and file descriptors to be held until the entry point becomes unavailable. The vulnerability affects systems with ACME TLS challenge enabled.
Stack memory disclosure in GNU C Library versions 2.0-2.42 allows unauthenticated remote attackers to leak sensitive stack contents via crafted DNS queries when getnetbyaddr functions are configured to use the DNS backend for network lookups. This vulnerability affects systems running vulnerable Glibc and DNS resolver combinations, with no available patch currently released.
Improper URI path normalization in Vert.x Web's static file handler allows remote attackers to manipulate the cache and deny access to static files through specially crafted request URIs containing encoded path traversal sequences. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction to cause denial of service by returning HTTP 404 responses for normally accessible files. Public exploit code exists and patches are available.
HTTP request smuggling in H3 framework versions before 1.15.5 allows remote attackers to bypass security controls by exploiting improper case-sensitive validation of the Transfer-Encoding header. The vulnerability enables attackers to inject malicious requests that diverge between client and server parsing, potentially leading to cache poisoning, session hijacking, or other attacks. Public exploit code exists for this vulnerability.
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. [CVSS 6.1 MEDIUM]
Denial of service in Svelte devalue library versions 5.1.0 through 5.6.1 allows remote attackers to exhaust CPU and memory resources by supplying malformed input to the parse function, affecting applications that process untrusted serialized data. The vulnerability stems from insufficient validation of ArrayBuffer inputs during deserialization. Applications should upgrade to version 5.6.2 or later.