Overview
- Go toolchain
- cmd/cgo
- cmd/cgo
05 Feb 2026
Published
05 Feb 2026
Updated
CVSS
Pending
EPSS
Pending
KEV
Description
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Statistics
- 1 Post
- 29 Interactions
Last activity: 15 hours ago
Bluesky
Overview
Description
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously
crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.
When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as
AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
copied into a fixed-size stack buffer without verifying that its length fits
the destination. An attacker can supply a crafted CMS message with an
oversized IV, causing a stack-based out-of-bounds write before any
authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Statistics
- 1 Post
Last activity: 5 hours ago
Overview
Description
In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)
Statistics
- 1 Post
Last activity: 10 hours ago
Overview
- Red Hat
- Red Hat Enterprise Linux 7 Extended Lifecycle Support
- emacs
12 Feb 2025
Published
24 Nov 2025
Updated
CVSS
Pending
EPSS
0.21%
KEV
Description
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
Statistics
- 1 Post
Last activity: 10 hours ago
Overview
- Kubernetes
- ingress-nginx
03 Feb 2026
Published
05 Feb 2026
Updated
CVSS v3.1
HIGH (8.8)
EPSS
0.10%
KEV
Description
A security issue was discovered in ingress-nginxย where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Statistics
- 2 Posts
Last activity: 9 hours ago
Bluesky
๐ด CVE-2026-1580 and CVE-2026-24512 allow for config #injection via the "nginx.ingress.kubernetes.io/auth-method" ingress annotation and the "rules.http.paths.path" ingress field, respectively.
๐ก CVE-2026-24514 is a #DoS in the ingress-nginx admission controller, triggered by sending large requests.