Log inNormale weergave
Ontvangen β 31 Mei 2026
β
Microsoft Security
-
Microsoft Security
- Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
-
- Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
-
- Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
-
- CVE-2024-36137 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
CVE-2024-36137 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
31 Mei 2026 om 10:40
Information published.
-
- CVE-2025-15504 lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference
CVE-2025-15504 lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference
31 Mei 2026 om 10:03
Information published.
-
- CVE-2026-21717 A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
-
- CVE-2025-23167 A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
-
- CVE-2024-22018 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
-
- CVE-2026-40034 gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule
CVE-2026-40034 gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule
31 Mei 2026 om 10:04
Information published.
CVE-2026-44839 RabbitMQ: Unsanitized vhost names allow for XSS in management UI
31 Mei 2026 om 10:04
Information published.
-
- CVE-2025-15649 IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date
CVE-2025-15649 IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date
31 Mei 2026 om 10:04
Information published.
-
- CVE-2026-48962 IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob
CVE-2026-48962 IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob
31 Mei 2026 om 10:04
Information published.
CVE-2026-28387 Potential Use-after-free in DANE Client Code
31 Mei 2026 om 10:04
Information published.
-
- CVE-2026-25833 Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function
CVE-2026-25833 Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function
31 Mei 2026 om 10:04
Information published.
CVE-2026-25834 Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.
31 Mei 2026 om 10:04
Information published.
CVE-2026-28388 NULL Pointer Dereference When Processing a Delta CRL
31 Mei 2026 om 10:04
Information published.
-
- CVE-2026-34873 An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session.
CVE-2026-34873 An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session.
31 Mei 2026 om 10:04
Information published.
-
- CVE-2026-34874 An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0.
CVE-2026-2673 OpenSSL TLS 1.3 server may choose unexpected key agreement group
31 Mei 2026 om 10:03
Information published.
-
- CVE-2026-34875 An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buffer overflow can occur in public key export for FFDH keys.
CVE-2026-34875 An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buffer overflow can occur in public key export for FFDH keys.
31 Mei 2026 om 10:03
Information published.
-
- CVE-2026-34871 An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG).
-
- CVE-2026-28390 Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo
CVE-2026-28390 Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo
31 Mei 2026 om 10:03
Information published.
CVE-2026-33671 Picomatch has a ReDoS vulnerability via extglob quantifiers
31 Mei 2026 om 10:03
Information published.
-
- CVE-2026-25835 Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).
CVE-2026-25835 Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).
31 Mei 2026 om 10:03
Information published.
-
- CVE-2026-33672 Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
CVE-2026-33672 Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
31 Mei 2026 om 10:03
Information published.
-
- CVE-2026-34872 An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-Hellman, the other party can force the shared secret into a small set of values (lack of contributory behavior). This is a problem for protocols that depend on contributory behavior (which is not the case for TLS). The attack can be carried by the peer, or depending on the protocol by an active network attacker (person in the middle).
CVE-2026-31789 Heap Buffer Overflow in Hexadecimal Conversion
31 Mei 2026 om 10:03
Information published.
-
- CVE-2026-28389 Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo
CVE-2026-28389 Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo
31 Mei 2026 om 10:02
Information published.
-
- CVE-2017-3736 There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
