Red Hat
Monthly
Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers.
Arbitrary file write vulnerability in Calibre's RocketBook input plugin enables attackers to write files to any location accessible by the Calibre process when a user opens or converts a malicious .rb file. The path traversal flaw affects versions prior to 9.5.0 and represents an unpatched instance of the same vulnerability class previously fixed in the PDB reader component. Local attackers can leverage this to corrupt files, modify configuration, or potentially achieve code execution depending on file system permissions.
Denial of service vulnerability in CairoSVG (Python SVG rendering library) caused by exponential amplification through recursive <use> SVG elements without depth limits. An attacker can cause 100% CPU exhaustion indefinitely with a tiny 1,411-byte SVG file, affecting any service that processes SVG input (thumbnails, PDFs, avatars). A working proof-of-concept is publicly available, patches have been released, and while not in KEV, the vulnerability has a 7.5 CVSS score with network-based, unauthenticated exploitation.
FreeRDP versions prior to 3.24.0 contain an out-of-bounds read vulnerability in MS-ADPCM and IMA-ADPCM audio decoders that allows unauthenticated remote attackers to read sensitive information from process memory. The vulnerability affects all FreeRDP installations using these audio codecs; an attacker can trigger the flaw by providing specially crafted audio data during RDP session establishment, potentially disclosing confidential data such as credentials or session tokens without requiring privileges or interaction beyond basic RDP connection initiation.
A denial of service vulnerability in FreeRDP (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Size_t integer underflow vulnerability in FreeRDP's IMA-ADPCM and MS-ADPCM audio decoders that triggers a heap buffer overflow write via the RDPSND audio channel. All FreeRDP versions prior to 3.24.0 are affected. An unauthenticated remote attacker can exploit this vulnerability over the network without user interaction to cause information disclosure and data corruption, though not denial of service based on the CVSS impact ratings.
FreeRDP versions prior to 3.24.0 contain a client-side heap out-of-bounds read/write vulnerability in the bitmap cache subsystem caused by an off-by-one boundary check error. A malicious RDP server can exploit this by sending a specially crafted CACHE_BITMAP_ORDER (Rev1) packet with cacheId equal to maxCells, allowing access to memory one element past the allocated array boundary. This vulnerability affects FreeRDP clients connecting to untrusted or compromised servers and could lead to information disclosure or denial of service, though the CVSS score of 5.3 and lack of confidentiality impact suggest limited real-world severity.
A client-side heap buffer overflow vulnerability exists in FreeRDP's AVC420/AVC444 YUV-to-RGB color space conversion code due to missing horizontal bounds validation of H.264 metablock region coordinates. FreeRDP versions prior to 3.24.0 are affected, allowing a malicious RDP server to trigger out-of-bounds memory writes via specially crafted WIRE_TO_SURFACE_PDU_1 packets with oversized regionRects left coordinates, resulting in denial of service through heap corruption. The vulnerability requires no user interaction or authentication and has a CVSS score of 5.3 with EPSS risk classification indicating moderate exploitation likelihood; no public exploit code is known to exist at this time.
Node.js Undici's response deduplication feature accumulates response bodies in memory instead of streaming them, allowing remote attackers to trigger denial of service through large or concurrent responses from untrusted endpoints. Applications using the deduplicate() interceptor are vulnerable to out-of-memory crashes when processing large or chunked responses. No patch is currently available.
CRLF injection in undici's HTTP upgrade handling allows authenticated attackers to inject arbitrary headers and perform request smuggling attacks against backend services like Redis and Elasticsearch when user input is passed unsanitized to the upgrade option. The vulnerability stems from insufficient validation of the upgrade parameter before writing to the socket, enabling attackers to terminate HTTP requests prematurely and route malicious data to non-HTTP protocols. This requires prior authentication and user interaction, with no patch currently available.
Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by stack-based buffer overflow (CVSS 6.7).
command line text editor. From 9.1.0011 to versions up to 9.2.0137 is affected by null pointer dereference (CVSS 5.3).
n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 contains a vulnerability that allows attackers to HTTP request/response smuggling.
n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 is affected by integer overflow or wraparound.
Undici fails to normalize HTTP header names when processing arrays, allowing duplicate Content-Length headers with case-variant names (e.g., "Content-Length" and "content-length") to be sent in malformed requests. Applications using undici's low-level APIs with user-controlled header inputs are vulnerable to request rejection by strict HTTP parsers or potential HTTP request smuggling attacks if intermediaries and backend servers interpret conflicting header values inconsistently. No patch is currently available.
Medium severity vulnerability in See description. #
Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.
mod_proxy_cluster's decodeenc() function is vulnerable to CRLF injection, enabling unauthenticated attackers with network access to the MCMP protocol port to manipulate cluster configuration and corrupt INFO endpoint responses. This input validation bypass affects systems relying on mod_proxy_cluster for load balancing and cluster management. No patch is currently available for this medium-severity vulnerability.
Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
Denial of service in yauzl 3.2.0 (Node.js zip parsing library) allows remote attackers to crash applications by submitting malformed zip files with specially crafted NTFS timestamp fields that trigger an out-of-bounds buffer read. The vulnerability affects any Node.js application that processes untrusted zip uploads and extracts file modification dates. No patch is currently available.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Insufficient policy enforcement in DevTools in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 4.3).
Insufficient policy enforcement in DevTools in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in PDF in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in Clipboard in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in WebAppInstalls in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in ChromeDriver in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Heap buffer overflow in Skia in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Unsafe navigation in Navigation in Google Chrome on iOS versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in Extensions in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Out of bounds read in V8 in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
use after free in WindowDialog in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 7.5).
Use after free in WebMIDI in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in MediaStream in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in TextEncoding in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Use after free in Extensions in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in WebMCP in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Agents in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Sandbox escape via Web Speech in Chrome before 146.0.7680.71. Patch available.
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.
cpp-httplib versions prior to 0.37.1 crash when the streaming API receives a malformed Content-Length header from any server, as the library fails to validate or handle exceptions from the underlying string parsing function. An attacker can exploit this denial of service condition by hosting a malicious server, performing a man-in-the-middle attack, or leveraging HTTP redirects to crash any client application using the vulnerable library. Currently no patch is available for this issue.
In devalue v5.6.3, `devalue.parse` and `devalue.unflatten` were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.
Keycloak's Account REST API improperly validates session assurance levels, enabling authenticated attackers with a victim's password to remove MFA/OTP credentials without re-authentication and subsequently register their own authenticator. This allows complete account takeover by bypassing the intended multi-factor authentication protections. The vulnerability affects users relying on MFA as a security control and currently has no available patch.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by heap-based buffer overflow (CVSS 5.7).
Curl's SMB implementation contains a use-after-free vulnerability that causes denial of service when processing consecutive requests to the same host, as the library incorrectly dereferences freed memory on subsequent connections. Public exploit code exists for this vulnerability affecting Curl installations. An attacker can crash Curl-based applications or services by triggering multiple SMB requests, though remote code execution is not possible due to the nature of the memory corruption.
OAuth2 bearer token leakage in curl and .NET occurs when HTTP redirects are followed to a second hostname that matches entries in the .netrc configuration file, allowing attackers to obtain valid authentication tokens for unintended hosts. Public exploit code exists for this vulnerability affecting curl and .NET applications that rely on OAuth2 authentication with automatic redirect handling. This medium-severity vulnerability (CVSS 5.3) requires network access but no user interaction, and patches are available from vendors.
libcurl incorrectly reuses authenticated connections when processing Negotiate authentication requests, allowing an attacker with valid credentials to access resources authenticated under different user accounts. An authenticated attacker can exploit this connection pooling logic error to bypass authentication checks by reusing an existing connection that was authenticated with different credentials. This affects libcurl implementations using Negotiate authentication where multiple users access the same server.
Istio versions prior to 1.29.1, 1.28.5, and 1.27.8 are vulnerable to authorization policy bypass through improper Envoy RBAC handling of multi-valued HTTP headers. An attacker can craft requests with multiple header values that cause the authorization engine to evaluate headers differently than intended, allowing unauthorized access to protected microservices. No patch is currently available for this vulnerability.
pypdf is a free and open-source pure-python PDF library. versions up to 6.8.0 is affected by allocation of resources without limits or throttling.
Denial of service in file-type library versions prior to 21.3.1 allows remote attackers to hang Node.js event loops by submitting malformed ASF (WMV/WMA) files that trigger infinite loops during file type detection. Applications using file-type to analyze untrusted input are vulnerable, with a minimal 55-byte payload sufficient to stall processing. No patch is currently available for affected Node.js and File Type products.
Flare versions before 1.7.3 contain a path traversal vulnerability in the avatar endpoint that allows authenticated users to read arbitrary files from the application container by exploiting unsanitized filename parameters. Any user with login access, including self-registered accounts on instances with open registration enabled (default configuration), can enumerate and retrieve sensitive files accessible to the Node.js process. The vulnerability requires authentication but poses a significant confidentiality risk on publicly accessible Flare instances without registration restrictions.
Authentication bypass in Vaadin framework (14.0.0-14.14.0, 23.0.0-23.6.x, and other ranges). The web application framework fails to properly enforce authentication on certain routes.
Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]
Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]
Apache PDFBox versions 2.0.24-2.0.35 and 3.0.0-3.0.6 contain a path traversal vulnerability in the ExtractEmbeddedFiles example that allows attackers to write files outside the intended extraction directory by manipulating embedded file names. Organizations that have integrated this example code into production systems are at risk of unauthorized file writes on the host system. No patch is currently available, requiring developers to manually implement path validation to ensure extracted files remain within the designated directory.
node-tar is a full-featured Tar for Node.js.
Medium severity vulnerability in ImageMagick. A 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur.
Medium severity vulnerability in ImageMagick. A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur.
BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the `-bilateral-blur` operation an out of bounds read can occur. ``` ================================================================= ==676172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50a0000079c0 at pc 0x57b483c722f7 bp 0x7fffc0acd380 sp 0x7fffc0acd370 READ of size 4 at 0x50a0000079c0 thread T0 ```
Medium severity vulnerability in ImageMagick. A heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write.
High severity vulnerability in ImageMagick. MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by buffer overflow (CVSS 5.7).
Heap over-read in ImageMagick's MAT decoder prior to versions 7.1.2-16 and 6.9.13-41 results from incorrect arithmetic parenthesization, allowing remote attackers to leak sensitive memory contents and cause denial of service through crafted MAT image files. The vulnerability requires no authentication or user interaction and affects systems using vulnerable ImageMagick versions for image processing. No patch is currently available, leaving users dependent on upgrading to patched versions when released.
Medium severity vulnerability in ImageMagick. A stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data.
Imagemagick versions up to 7.1.2-16 is affected by improper link resolution before file access (CVSS 6.3).
ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 contain a heap-use-after-free vulnerability in the MSL encoder that can be triggered by local attackers to cause denial of service through double-free conditions on cloned images. The vulnerability requires local access with no special privileges or user interaction, resulting in application crashes or potential memory corruption. No patch is currently available for affected versions.
Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.
Medium severity vulnerability in ImageMagick. A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation.
High severity vulnerability in ImageMagick. A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption.
Medium severity vulnerability in ImageMagick. An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage.
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. [CVSS 6.2 MEDIUM]
Out-of-bounds read in libssh versions up to 0.11.3 allows remote attackers to cause denial of service by manipulating the idx argument in the SFTP extension name handler functions. The vulnerability resides in the sftp_extensions_get_name and sftp_extensions_get_data functions, enabling unauthenticated attackers to trigger memory access violations without user interaction. Upgrading to libssh 0.11.4 or 0.12.0 resolves this issue.
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.
express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints. This issue has been patched...
self-hostable file sharing platform that integrates with screenshot tools. versions up to 1.7.2 is affected by authorization bypass through user-controlled key.
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. [CVSS 7.5 HIGH]
GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. [CVSS 7.5 HIGH]
Fastify improperly validates Content-Type headers by accepting RFC 9110-violating malformed values with trailing characters, allowing attackers to bypass content-type restrictions and route requests to unintended parsers. When regex-based content-type parsing is enabled, requests with invalid Content-Type headers such as "application/json garbage" are processed normally instead of being rejected, potentially enabling request misrouting and manipulation of parser behavior. No patch is currently available for this medium-severity vulnerability affecting Fastify applications.
Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. [CVSS 5.5 MEDIUM]
Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers.
Arbitrary file write vulnerability in Calibre's RocketBook input plugin enables attackers to write files to any location accessible by the Calibre process when a user opens or converts a malicious .rb file. The path traversal flaw affects versions prior to 9.5.0 and represents an unpatched instance of the same vulnerability class previously fixed in the PDB reader component. Local attackers can leverage this to corrupt files, modify configuration, or potentially achieve code execution depending on file system permissions.
Denial of service vulnerability in CairoSVG (Python SVG rendering library) caused by exponential amplification through recursive <use> SVG elements without depth limits. An attacker can cause 100% CPU exhaustion indefinitely with a tiny 1,411-byte SVG file, affecting any service that processes SVG input (thumbnails, PDFs, avatars). A working proof-of-concept is publicly available, patches have been released, and while not in KEV, the vulnerability has a 7.5 CVSS score with network-based, unauthenticated exploitation.
FreeRDP versions prior to 3.24.0 contain an out-of-bounds read vulnerability in MS-ADPCM and IMA-ADPCM audio decoders that allows unauthenticated remote attackers to read sensitive information from process memory. The vulnerability affects all FreeRDP installations using these audio codecs; an attacker can trigger the flaw by providing specially crafted audio data during RDP session establishment, potentially disclosing confidential data such as credentials or session tokens without requiring privileges or interaction beyond basic RDP connection initiation.
A denial of service vulnerability in FreeRDP (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Size_t integer underflow vulnerability in FreeRDP's IMA-ADPCM and MS-ADPCM audio decoders that triggers a heap buffer overflow write via the RDPSND audio channel. All FreeRDP versions prior to 3.24.0 are affected. An unauthenticated remote attacker can exploit this vulnerability over the network without user interaction to cause information disclosure and data corruption, though not denial of service based on the CVSS impact ratings.
FreeRDP versions prior to 3.24.0 contain a client-side heap out-of-bounds read/write vulnerability in the bitmap cache subsystem caused by an off-by-one boundary check error. A malicious RDP server can exploit this by sending a specially crafted CACHE_BITMAP_ORDER (Rev1) packet with cacheId equal to maxCells, allowing access to memory one element past the allocated array boundary. This vulnerability affects FreeRDP clients connecting to untrusted or compromised servers and could lead to information disclosure or denial of service, though the CVSS score of 5.3 and lack of confidentiality impact suggest limited real-world severity.
A client-side heap buffer overflow vulnerability exists in FreeRDP's AVC420/AVC444 YUV-to-RGB color space conversion code due to missing horizontal bounds validation of H.264 metablock region coordinates. FreeRDP versions prior to 3.24.0 are affected, allowing a malicious RDP server to trigger out-of-bounds memory writes via specially crafted WIRE_TO_SURFACE_PDU_1 packets with oversized regionRects left coordinates, resulting in denial of service through heap corruption. The vulnerability requires no user interaction or authentication and has a CVSS score of 5.3 with EPSS risk classification indicating moderate exploitation likelihood; no public exploit code is known to exist at this time.
Node.js Undici's response deduplication feature accumulates response bodies in memory instead of streaming them, allowing remote attackers to trigger denial of service through large or concurrent responses from untrusted endpoints. Applications using the deduplicate() interceptor are vulnerable to out-of-memory crashes when processing large or chunked responses. No patch is currently available.
CRLF injection in undici's HTTP upgrade handling allows authenticated attackers to inject arbitrary headers and perform request smuggling attacks against backend services like Redis and Elasticsearch when user input is passed unsanitized to the upgrade option. The vulnerability stems from insufficient validation of the upgrade parameter before writing to the socket, enabling attackers to terminate HTTP requests prematurely and route malicious data to non-HTTP protocols. This requires prior authentication and user interaction, with no patch currently available.
Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by stack-based buffer overflow (CVSS 6.7).
command line text editor. From 9.1.0011 to versions up to 9.2.0137 is affected by null pointer dereference (CVSS 5.3).
n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 contains a vulnerability that allows attackers to HTTP request/response smuggling.
n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 is affected by integer overflow or wraparound.
Undici fails to normalize HTTP header names when processing arrays, allowing duplicate Content-Length headers with case-variant names (e.g., "Content-Length" and "content-length") to be sent in malformed requests. Applications using undici's low-level APIs with user-controlled header inputs are vulnerable to request rejection by strict HTTP parsers or potential HTTP request smuggling attacks if intermediaries and backend servers interpret conflicting header values inconsistently. No patch is currently available.
Medium severity vulnerability in See description. #
Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.
mod_proxy_cluster's decodeenc() function is vulnerable to CRLF injection, enabling unauthenticated attackers with network access to the MCMP protocol port to manipulate cluster configuration and corrupt INFO endpoint responses. This input validation bypass affects systems relying on mod_proxy_cluster for load balancing and cluster management. No patch is currently available for this medium-severity vulnerability.
Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
Denial of service in yauzl 3.2.0 (Node.js zip parsing library) allows remote attackers to crash applications by submitting malformed zip files with specially crafted NTFS timestamp fields that trigger an out-of-bounds buffer read. The vulnerability affects any Node.js application that processes untrusted zip uploads and extracts file modification dates. No patch is currently available.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Insufficient policy enforcement in DevTools in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 4.3).
Insufficient policy enforcement in DevTools in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in PDF in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in Clipboard in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in WebAppInstalls in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in ChromeDriver in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Heap buffer overflow in Skia in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Unsafe navigation in Navigation in Google Chrome on iOS versions up to 146.0.7680.71 contains a security vulnerability.
Insufficient policy enforcement in Extensions in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Out of bounds read in V8 in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
use after free in WindowDialog in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 7.5).
Use after free in WebMIDI in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in MediaStream in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in TextEncoding in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Use after free in Extensions in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in WebMCP in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Agents in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Sandbox escape via Web Speech in Chrome before 146.0.7680.71. Patch available.
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.
cpp-httplib versions prior to 0.37.1 crash when the streaming API receives a malformed Content-Length header from any server, as the library fails to validate or handle exceptions from the underlying string parsing function. An attacker can exploit this denial of service condition by hosting a malicious server, performing a man-in-the-middle attack, or leveraging HTTP redirects to crash any client application using the vulnerable library. Currently no patch is available for this issue.
In devalue v5.6.3, `devalue.parse` and `devalue.unflatten` were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.
Keycloak's Account REST API improperly validates session assurance levels, enabling authenticated attackers with a victim's password to remove MFA/OTP credentials without re-authentication and subsequently register their own authenticator. This allows complete account takeover by bypassing the intended multi-factor authentication protections. The vulnerability affects users relying on MFA as a security control and currently has no available patch.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by heap-based buffer overflow (CVSS 5.7).
Curl's SMB implementation contains a use-after-free vulnerability that causes denial of service when processing consecutive requests to the same host, as the library incorrectly dereferences freed memory on subsequent connections. Public exploit code exists for this vulnerability affecting Curl installations. An attacker can crash Curl-based applications or services by triggering multiple SMB requests, though remote code execution is not possible due to the nature of the memory corruption.
OAuth2 bearer token leakage in curl and .NET occurs when HTTP redirects are followed to a second hostname that matches entries in the .netrc configuration file, allowing attackers to obtain valid authentication tokens for unintended hosts. Public exploit code exists for this vulnerability affecting curl and .NET applications that rely on OAuth2 authentication with automatic redirect handling. This medium-severity vulnerability (CVSS 5.3) requires network access but no user interaction, and patches are available from vendors.
libcurl incorrectly reuses authenticated connections when processing Negotiate authentication requests, allowing an attacker with valid credentials to access resources authenticated under different user accounts. An authenticated attacker can exploit this connection pooling logic error to bypass authentication checks by reusing an existing connection that was authenticated with different credentials. This affects libcurl implementations using Negotiate authentication where multiple users access the same server.
Istio versions prior to 1.29.1, 1.28.5, and 1.27.8 are vulnerable to authorization policy bypass through improper Envoy RBAC handling of multi-valued HTTP headers. An attacker can craft requests with multiple header values that cause the authorization engine to evaluate headers differently than intended, allowing unauthorized access to protected microservices. No patch is currently available for this vulnerability.
pypdf is a free and open-source pure-python PDF library. versions up to 6.8.0 is affected by allocation of resources without limits or throttling.
Denial of service in file-type library versions prior to 21.3.1 allows remote attackers to hang Node.js event loops by submitting malformed ASF (WMV/WMA) files that trigger infinite loops during file type detection. Applications using file-type to analyze untrusted input are vulnerable, with a minimal 55-byte payload sufficient to stall processing. No patch is currently available for affected Node.js and File Type products.
Flare versions before 1.7.3 contain a path traversal vulnerability in the avatar endpoint that allows authenticated users to read arbitrary files from the application container by exploiting unsanitized filename parameters. Any user with login access, including self-registered accounts on instances with open registration enabled (default configuration), can enumerate and retrieve sensitive files accessible to the Node.js process. The vulnerability requires authentication but poses a significant confidentiality risk on publicly accessible Flare instances without registration restrictions.
Authentication bypass in Vaadin framework (14.0.0-14.14.0, 23.0.0-23.6.x, and other ranges). The web application framework fails to properly enforce authentication on certain routes.
Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]
Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]
Apache PDFBox versions 2.0.24-2.0.35 and 3.0.0-3.0.6 contain a path traversal vulnerability in the ExtractEmbeddedFiles example that allows attackers to write files outside the intended extraction directory by manipulating embedded file names. Organizations that have integrated this example code into production systems are at risk of unauthorized file writes on the host system. No patch is currently available, requiring developers to manually implement path validation to ensure extracted files remain within the designated directory.
node-tar is a full-featured Tar for Node.js.
Medium severity vulnerability in ImageMagick. A 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur.
Medium severity vulnerability in ImageMagick. A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur.
BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the `-bilateral-blur` operation an out of bounds read can occur. ``` ================================================================= ==676172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50a0000079c0 at pc 0x57b483c722f7 bp 0x7fffc0acd380 sp 0x7fffc0acd370 READ of size 4 at 0x50a0000079c0 thread T0 ```
Medium severity vulnerability in ImageMagick. A heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write.
High severity vulnerability in ImageMagick. MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by buffer overflow (CVSS 5.7).
Heap over-read in ImageMagick's MAT decoder prior to versions 7.1.2-16 and 6.9.13-41 results from incorrect arithmetic parenthesization, allowing remote attackers to leak sensitive memory contents and cause denial of service through crafted MAT image files. The vulnerability requires no authentication or user interaction and affects systems using vulnerable ImageMagick versions for image processing. No patch is currently available, leaving users dependent on upgrading to patched versions when released.
Medium severity vulnerability in ImageMagick. A stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data.
Imagemagick versions up to 7.1.2-16 is affected by improper link resolution before file access (CVSS 6.3).
ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 contain a heap-use-after-free vulnerability in the MSL encoder that can be triggered by local attackers to cause denial of service through double-free conditions on cloned images. The vulnerability requires local access with no special privileges or user interaction, resulting in application crashes or potential memory corruption. No patch is currently available for affected versions.
Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.
Medium severity vulnerability in ImageMagick. A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation.
High severity vulnerability in ImageMagick. A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption.
Medium severity vulnerability in ImageMagick. An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage.
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. [CVSS 6.2 MEDIUM]
Out-of-bounds read in libssh versions up to 0.11.3 allows remote attackers to cause denial of service by manipulating the idx argument in the SFTP extension name handler functions. The vulnerability resides in the sftp_extensions_get_name and sftp_extensions_get_data functions, enabling unauthenticated attackers to trigger memory access violations without user interaction. Upgrading to libssh 0.11.4 or 0.12.0 resolves this issue.
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.
express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the content, which is inconsistent with stricter checks used by other endpoints. This issue has been patched...
self-hostable file sharing platform that integrates with screenshot tools. versions up to 1.7.2 is affected by authorization bypass through user-controlled key.
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. [CVSS 7.5 HIGH]
GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. [CVSS 7.5 HIGH]
Fastify improperly validates Content-Type headers by accepting RFC 9110-violating malformed values with trailing characters, allowing attackers to bypass content-type restrictions and route requests to unintended parsers. When regex-based content-type parsing is enabled, requests with invalid Content-Type headers such as "application/json garbage" are processed normally instead of being rejected, potentially enabling request misrouting and manipulation of parser behavior. No patch is currently available for this medium-severity vulnerability affecting Fastify applications.
Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. [CVSS 5.5 MEDIUM]