Overview
Description
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.
Statistics
- 1 Post
Last activity: 1 hour ago
Overview
- FiloSottile
- filippo.io/edwards25519
19 Feb 2026
Published
20 Feb 2026
Updated
CVSS v4.0
LOW (1.7)
EPSS
0.04%
KEV
Description
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.
Statistics
- 1 Post
Last activity: 17 hours ago
Bluesky
📢 Filippo Valsorda appelle à désactiver Dependabot au profit de govulncheck pour des alertes vulnérabilités p…📝 …
https://cyberveille.ch/posts/2026-02-22-filippo-valsorda-appelle-a-desactiver-dependabot-au-profit-de-govulncheck-pour-des-alertes-vulnerabilites-pertinentes/ #CVE_2026_26958 #Cyberveil…
Overview
- Red Hat
- Red Hat Enterprise Linux 10
- libxml2
15 Jan 2026
Published
15 Jan 2026
Updated
CVSS
Pending
EPSS
0.02%
KEV
Description
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
Statistics
- 1 Post
Last activity: 1 hour ago
Overview
- Artifex Software
- MuPDF
06 Feb 2026
Published
06 Feb 2026
Updated
CVSS v4.0
MEDIUM (5.9)
EPSS
0.06%
KEV
Description
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
Statistics
- 3 Posts
Last activity: Last hour
Bluesky
Critical security patch for #Fedora 43: MuPDF 1.27.1 is out. This update addresses CVE-2026-25556, a denial-of-service vulnerability triggered by malicious files during barcode decoding. Read more: 👉 tinyurl.com/2neuuw7p #Security
Critical security advisory for the Fedora community: CVE-2026-25556 is a DoS vulnerability in PyMuPDF that can be triggered via crafted barcode decoding.
If you're running #Fedora 43, the path to mitigation is upgrading to mupdf 1.27.1. Read more: 👉 tinyurl.com/39bk5rw7 #Security
Overview
Description
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Statistics
- 1 Post
Last activity: 2 hours ago
Bluesky
Overview
- coreruleset
- coreruleset
08 Jan 2026
Published
08 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
0.05%
KEV
Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
Description
coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka "Content-Type confusion" between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
Description
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
- Ivanti
- Endpoint Manager Mobile
29 Jan 2026
Published
30 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
41.90%
KEV
Description
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Statistics
- 1 Post
Last activity: 2 hours ago
Bluesky
Overview
Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Statistics
- 1 Post
Last activity: 2 hours ago