CVE-2026-27651

Overview

F5
NGINX Open Source

24 Mar 2026

Published

24 Mar 2026

Updated

CVSS v3.1

HIGH (7.5)

EPSS

0.04%

MITRE

KEV

Description

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Statistics

1 Post
3 Interactions

Last activity: 15 hours ago

Fediverse

Seth Grover @mmguero

Malcolm v26.05.1 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.1 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.1

✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
  - This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
  - these NetBox plugins were also updated:
    - netbox-initializers to v4.5.1
    - netbox-topology-views to v4.5.1
    - Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
  - thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
  - critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
  - high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
  - high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
  - medium: Injection in auth_http and XCLIENT CVE-2026-28753
  - medium: OCSP result bypass in stream CVE-2026-28755
  - high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
- Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
- When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
- Suricata's HTTP version was not being normalized to network.protocol_version.
🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

2
1
0
15h ago

CVE-2026-1642

Overview

F5
NGINX Open Source

04 Feb 2026

Published

05 Feb 2026

Updated

CVSS v3.1

MEDIUM (5.9)

EPSS

0.02%

MITRE

KEV

Description

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Statistics

1 Post
3 Interactions

Last activity: 15 hours ago

Fediverse

Seth Grover @mmguero

Malcolm v26.05.1 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.1 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.1

✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
  - This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
  - these NetBox plugins were also updated:
    - netbox-initializers to v4.5.1
    - netbox-topology-views to v4.5.1
    - Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
  - thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
  - critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
  - high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
  - high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
  - medium: Injection in auth_http and XCLIENT CVE-2026-28753
  - medium: OCSP result bypass in stream CVE-2026-28755
  - high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
- Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
- When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
- Suricata's HTTP version was not being normalized to network.protocol_version.
🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

2
1
0
15h ago

CVE-2026-44244

Overview

gitpython-developers
GitPython

07 May 2026

Published

09 May 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

0.02%

MITRE

KEV

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

Statistics

1 Post
3 Interactions

Last activity: 15 hours ago

Fediverse

Seth Grover @mmguero

Malcolm v26.05.1 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.1 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.1

✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
  - This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
  - these NetBox plugins were also updated:
    - netbox-initializers to v4.5.1
    - netbox-topology-views to v4.5.1
    - Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
  - thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
  - critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
  - high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
  - high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
  - medium: Injection in auth_http and XCLIENT CVE-2026-28753
  - medium: OCSP result bypass in stream CVE-2026-28755
  - high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
- Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
- When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
- Suricata's HTTP version was not being normalized to network.protocol_version.
🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

2
1
0
15h ago

CVE-2026-28753

Overview

F5
NGINX Open Source

24 Mar 2026

Published

24 Mar 2026

Updated

CVSS v3.1

LOW (3.7)

EPSS

0.02%

MITRE

KEV

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Statistics

1 Post
3 Interactions

Last activity: 15 hours ago

Fediverse

Seth Grover @mmguero

Malcolm v26.05.1 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.1 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.1

✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
  - This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
  - these NetBox plugins were also updated:
    - netbox-initializers to v4.5.1
    - netbox-topology-views to v4.5.1
    - Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
  - thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
  - critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
  - high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
  - high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
  - medium: Injection in auth_http and XCLIENT CVE-2026-28753
  - medium: OCSP result bypass in stream CVE-2026-28755
  - high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
- Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
- When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
- Suricata's HTTP version was not being normalized to network.protocol_version.
🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

2
1
0
15h ago

CVE-2026-44243

Overview

gitpython-developers
GitPython

07 May 2026

Published

07 May 2026

Updated

CVSS v4.0

HIGH (7.8)

EPSS

0.11%

MITRE

KEV

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.

Statistics

1 Post
3 Interactions

Last activity: 15 hours ago

Fediverse

Seth Grover @mmguero

Malcolm v26.05.1 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.1 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.1

✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
  - This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
  - these NetBox plugins were also updated:
    - netbox-initializers to v4.5.1
    - netbox-topology-views to v4.5.1
    - Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
  - thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
  - critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
  - high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
  - high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
  - high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
  - medium: Injection in auth_http and XCLIENT CVE-2026-28753
  - medium: OCSP result bypass in stream CVE-2026-28755
  - high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
- Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
- When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
- Suricata's HTTP version was not being normalized to network.protocol_version.
🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

2
1
0
15h ago