Report Name: Linux Patch Wednesday April 2026
Generated: 2026-04-22 15:11:26

Product Name	Prevalence	U	C	H	M	L	A	Comment
Vim	0.95			2	2		4	Highly configurable command-line text editor used in development and system administration.
systemd	0.95			2	3		5	System and service manager for Linux, including udev device management subsystem.
Apache Log4j	0.9				3		3	Apache Log4j is a Java-based logging utility
Django	0.9			2	2	1	5	Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in tools for database models, authentication, URL routing, templates, and security features, making it one of the most widely used frameworks for building scalable and maintainable web applications.
HTTP/2	0.9				1		1	HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web
Linux Kernel	0.9			1	89	119	209	The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
Polkit	0.9				1		1	polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes
Rust	0.9		1	1	1		3	Rust is a modern, high-performance systems programming language focused on safety, concurrency, and memory management.
Sudo	0.9				2		2	Sudo is a widely used Unix/Linux utility that allows permitted users to execute commands with elevated (typically root) privileges while providing extensive logging and fine-grained security controls. It is a foundational component in most Linux and BSD distributions.
Windows Kernel	0.9			1			1	Windows Kernel
nghttp2	0.9				2		2	nghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C
util-linux	0.9				1		1	Linux utility suite providing core system tools including mount. Vulnerability affects SUID mount binary due to TOCTOU race condition.
Dovecot	0.85			2	3		5	Open-source IMAP and POP3 email server with authentication and indexing features.
.NET Framework	0.8			1			1	.NET Framework
Binutils	0.8				1		1	The GNU Binary Utilities, or binutils, are a set of programming tools for creating and managing binary programs, object files, libraries, profile data, and assembly source code
CUPS	0.8		2	3	1		6	CUPS is a modular printing system for Unix-like computer operating systems which allows a computer to act as a print server
Chromium	0.8		1	43	71		115	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
GLPI	0.8		1	2	3		6	GLPI is an open source IT Asset Management, issue tracking system and service desk system
GNU C Library	0.8			2			2	The GNU C Library, commonly known as glibc, is the GNU Project's implementation of the C standard library
Keycloak	0.8			1	12	1	14	Keycloak is an open‑source identity and access management (IAM) solution that provides single sign‑on (SSO), user federation, identity brokering, and access control for applications and services.
Mozilla Firefox	0.8			6	45		51	Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
Netty	0.8		1		1		2	Netty is a non-blocking I/O client-server framework for the development of Java network applications such as protocol servers and clients
Node.js	0.8			1	6	1	8	Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more
OpenSSH	0.8			1	1	3	5	OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a client–server architecture
OpenSSL	0.8			2	3		5	A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
Pygments	0.8				1		1	Syntax highlighting library for multiple programming languages.
Safari	0.8			4	14	1	19	Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
Varnish Cache	0.8				2		2	High-performance HTTP accelerator and reverse proxy for caching web content.
Zabbix	0.8			1	2		3	Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services
xmldom	0.75				1		1	JavaScript XML parser and serializer implementing W3C DOM standards.
.NET	0.7			1	1		2	.NET
.NET and Visual Studio	0.7			1			1	.NET and Visual Studio
Apache Tomcat	0.7			4	5		9	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
Apache Traffic Server	0.7			1	1		2	The Apache Traffic Server is a modular, high-performance reverse proxy and forward proxy server, generally comparable to Nginx and Squid
BIND	0.7				4		4	BIND is a suite of software for interacting with the Domain Name System
Calibre	0.7			2			2	Calibre is a cross-platform free and open-source suite of e-book software
FFmpeg	0.7				1		1	FFmpeg is a free and open-source software project consisting of a suite of libraries and programs for handling video, audio, and other multimedia files and streams
JupyterHub	0.7				1		1	Multi-user server for Jupyter notebooks used in education and data science environments.
Kubernetes	0.7			2	2		4	Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management
Log4net	0.7				1		1	Logging framework for .NET applications supporting flexible XML-based configuration.
MariaDB	0.7			1	1		2	MariaDB is a community-developed, commercially supported fork of the MySQL relational database management system, intended to remain free and open-source software under the GNU General Public License
QEMU	0.7			2			2	QEMU is a generic and open source machine & userspace emulator and virtualizer
cpp-httplib	0.7			2			2	cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library
musl libc	0.7			1	1		2	musl libc is a lightweight, fast, and standards-conformant implementation of the C standard library, commonly used in embedded systems and Linux distributions such as Alpine Linux.
tinyproxy	0.7				1		1	Lightweight HTTP/HTTPS proxy server for Unix-like systems.
Apache ActiveMQ	0.6	1			2		3	Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client
Axios	0.6			2	1		3	axios is a promise based HTTP client for the browser and node.js
Canonical LXD	0.6				2		2	Canonical LXD is a system container and VM manager for Linux. LXD-UI is the web UI component of LXD that provides a browser-based interface for creating, managing and starting containers and instances.
ClamAV	0.6				1		1	ClamAV (Clam AntiVirus) is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses
FreeRDP	0.6			2	6	1	9	FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license
ImageMagick	0.6				12	3	15	ImageMagick, invoked from the command line as magick, is a free and open-source cross-platform software suite for displaying, creating, converting, modifying, and editing raster images
Jenkins	0.6				2		2	Jenkins is an open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration, and continuous delivery.
Jetty	0.6				2		2	Jetty is a Java based web server and servlet engine
Kea DHCP	0.6				1		1	ISC DHCP server replacement providing DHCPv4/v6 services and control API.
Libsoup	0.6			1			1	libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop to integrate well with GNOME applications and also has a synchronous API for use in CLI tools.
MongoDB	0.6				3		3	MongoDB is a source-available, cross-platform, document-oriented database program
OWASP CRS	0.6				1		1	The OWASP Core Rule Set (CRS) is an open-source set of generic attack detection rules designed for use with compatible web application firewalls (WAFs). CRS provides protection against common web application attacks, including SQL injection, cross-site scripting (XSS), and local file inclusion, by inspecting HTTP requests and enforcing security policies.
PHP Secure Communications Library	0.6					2	2	phpseclib provides pure-PHP implementations of SSH2, SFTP, RSA, DSA, Elliptic Curves, AES, ChaCha20, X. 509, CSR, CRL, SPKAC
Perl	0.6			1	2	1	4	Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
PostgreSQL	0.6				1		1	PostgreSQL also known as Postgres, is a free and open-source relational database management system emphasizing extensibility and SQL compliance.
PyTorch	0.6				1		1	PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing, originally developed by Meta AI and now part of the Linux Foundation umbrella
Python	0.6			1	1	1	3	Python is a high-level, general-purpose programming language
Redis	0.6				1		1	Redis is an open-source in-memory storage, used as a distributed, in-memory key–value database, cache and message broker, with optional durability
Roundcube	0.6				6	3	9	Roundcube is a web-based IMAP email client
Webmin	0.6				1		1	Webmin is a web-based system administration tool for Unix-like servers and services, with about 1,000,000 yearly installations worldwide. It allows administrators to configure operating system internals such as users, disk quotas, services, and configuration files, as well as modify and control open-source applications such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and more.
gdk-pixbuf	0.6			1			1	gdk-pixbuf is an open source image loading and manipulation library used primarily in GNOME-based applications for handling various image formats, including JPEG, PNG, and GIF.
strongSwan	0.6			1			1	strongSwan is an open source IPsec-based VPN solution that provides secure network connectivity using IKEv1 and IKEv2 protocols, widely used on Linux systems for site-to-site and remote access VPN deployments.
Addressable	0.5				1		1	Product detected by a:addressable_project:addressable (exists in CPE dict)
Botan	0.5				4		4	Product detected by a:botan_project:botan (exists in CPE dict)
Cockpit	0.5		1				1	Cockpit is a web-based server administration tool for Linux systems that allows users to manage servers, containers, storage, and network configurations through a browser interface.
CommonMark	0.5				1		1	Product detected by a:thephpleague:commonmark (exists in CPE dict)
Cosign	0.5					1	1	Product detected by a:sigstore:cosign (exists in CPE dict)
Crun	0.5			1			1	Product detected by a:crun_project:crun (exists in CPE dict)
DCMTK	0.5			1			1	DCMTK (DICOM Toolkit) is an open-source collection of libraries and applications implementing large parts of the DICOM standard, including image processing, storage, and network services for medical imaging.
Devise	0.5				1		1	Product detected by a:heartcombo:devise (exists in CPE dict)
FRRouting	0.5					1	1	FRRouting (FRR) is an IP routing protocol suite for Linux and Unix platforms, supporting BGP, OSPF, RIP, IS-IS, and other routing protocols for network infrastructure.
Flask	0.5				1		1	Flask is a lightweight WSGI web application framework
Fluent Bit	0.5			1	3	1	5	Fluent Bit is a fast, lightweight, and scalable telemetry data agent and processor for logs, metrics, and traces
GIFLIB	0.5			1			1	Product detected by a:giflib_project:giflib (exists in CPE dict)
GIMP	0.5			1	5		6	GIMP is an open-source image manipulation program used for photo editing, graphic design, and digital art creation.
Glance	0.5			1			1	Product detected by a:openstack:glance (exists in CPE dict)
Go	0.5				11	1	12	Product detected by a:golang:go (exists in CPE dict)
Handlebars	0.5		1	5			6	Product detected by a:handlebarsjs:handlebars (exists in CPE dict)
Hugo	0.5				1		1	Product detected by a:gohugo:hugo (exists in CPE dict)
Kamailio	0.5				2		2	Kamailio is an open-source SIP server used for building scalable VoIP, instant messaging, and real-time communications systems.
Kvmtool	0.5			1			1	Product detected by a:kvmtool_project:kvmtool (exists in CPE dict)
LibVNCServer	0.5		1	1			2	Product detected by a:libvncserver_project:libvncserver (exists in CPE dict)
Libarchive	0.5			1	3		4	Multi-format archive and compression library
Libexif	0.5				2		2	Product detected by a:libexif_project:libexif (exists in CPE dict)
Libraw	0.5			6			6	Product detected by a:libraw:libraw (exists in CPE dict)
MapServer	0.5			1			1	Product detected by a:osgeo:mapserver (exists in CPE dict)
Mbed TLS	0.5			1	9	1	11	Mbed TLS
Mongoose	0.5			3			3	Product detected by a:cesanta:mongoose (exists in CPE dict)
NGINX Plus	0.5				2	2	4	Product detected by a:f5:nginx_plus (exists in CPE dict)
Netwide Assembler	0.5			3			3	Product detected by a:nasm:netwide_assembler (exists in CPE dict)
Node.js pbkdf2	0.5			2			2	The crypto.pbkdf2(), also known as Password-Based Key Derivation function, provides an asynchronous implementation of the derivative function. A key is derived by using the Hmac digest of a specified algorithm from password, salt and iterations.
OpenSC	0.5			2	2		4	OpenSC is a set of software tools and libraries to work with smart cards, with the focus on smart cards with cryptographic capabilities
OpenTelemetry	0.5				2		2	OpenTelemetry is a collection of APIs, SDKs, and tools. Use it to instrument, generate, collect, and export telemetry data (metrics, logs and traces) to help you analyze your software's performance and behavior
Orthanc	0.5				9		9	Product detected by a:orthanc-server:orthanc (exists in CPE dict)
Osslsigncode	0.5			1	3		4	Product detected by a:osslsigncode_project:osslsigncode (exists in CPE dict)
PDFBox	0.5				1		1	Product detected by a:apache:pdfbox (exists in CPE dict)
Packetbeat	0.5				1		1	Product detected by a:elasticsearch:packetbeat (exists in CPE dict)
Poetry	0.5			1			1	Product detected by a:python-poetry:poetry (exists in CPE dict)
Pypdf	0.5				2		2	PyPDF is a Python library for reading, manipulating, and writing PDF files, including extraction, splitting, merging, and encryption features.
Quiche	0.5				3		3	Product detected by a:cloudflare:quiche (exists in CPE dict)
RAUC	0.5				1		1	Product detected by a:pengutronix:rauc (exists in CPE dict)
Requests	0.5					1	1	Product detected by a:python:requests (exists in CPE dict)
SDL Image	0.5				1		1	Product detected by a:libsdl:sdl_image (exists in CPE dict)
SPIP	0.5				1		1	SPIP is an open-source software content management system designed for web site publishing, oriented towards online collaborative editing
Scripting Engine	0.5				1		1	Scripting Engine
Socket.io-parser	0.5				1		1	Product detected by a:socket:socket.io-parser (exists in CPE dict)
Squid	0.5				3		3	Squid is a caching and forwarding HTTP proxy supporting web acceleration, content filtering, and caching for HTTP, HTTPS, and FTP.
Starlette	0.5			1			1	Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit
Suricata	0.5				5		5	Suricata is an open-source intrusion detection and prevention system (IDS/IPS) and network security monitoring engine that supports deep packet inspection and threat detection.
Thunderbird	0.5				1	1	2	Product detected by a:mozilla:thunderbird (exists in CPE dict)
TimescaleDB	0.5				1		1	Product detected by a:timescale:timescaledb (exists in CPE dict)
Traefik	0.5			2	1	2	5	Product detected by a:traefik:traefik (exists in CPE dict)
UltraJSON	0.5			1	1		2	Product detected by a:ultrajson_project:ultrajson (exists in CPE dict)
Vert.x-Web	0.5			1			1	Product detected by a:eclipse:vert.x-web (exists in CPE dict)
XZ	0.5				1		1	Product detected by a:tukaani:xz (exists in CPE dict)
Znuny	0.5			1			1	Znuny/Znuny LTS is a fork of the ((OTRS)) Community Edition, one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management
aardvark-dns	0.5				1		1	Product detected by a:containers:aardvark-dns (does NOT exist in CPE dict)
aiohttp	0.5				7	2	9	Product detected by a:aiohttp:aiohttp (exists in CPE dict)
avahi	0.5			1			1	Product detected by a:avahi:avahi (exists in CPE dict)
awstats	0.5			1			1	Product detected by a:awstats:awstats (exists in CPE dict)
bcrypt-ruby	0.5				1		1	Product detected by a:bcrypt-ruby_project:bcrypt-ruby (does NOT exist in CPE dict)
buildkit	0.5				1		1	Product detected by a:mobyproject:buildkit (exists in CPE dict)
corosync	0.5			2			2	Product detected by a:corosync:corosync (exists in CPE dict)
cryptography	0.5				1		1	Product detected by a:cryptography.io:cryptography (exists in CPE dict)
deepdiff	0.5			1			1	Product detected by a:qluster:deepdiff (does NOT exist in CPE dict)
distribution	0.5			1			1	Product detected by a:distribution_project:distribution (does NOT exist in CPE dict)
dnsdist	0.5				4	2	6	Product detected by a:powerdns:dnsdist (exists in CPE dict)
dokuwiki	0.5			1			1	Product detected by a:dokuwiki:dokuwiki (exists in CPE dict)
dynaconf	0.5			1			1	Product detected by a:dynaconf:dynaconf (does NOT exist in CPE dict)
ecdsa	0.5			1			1	Product detected by a:tlsfuzzer:ecdsa (does NOT exist in CPE dict)
fast-xml-parser	0.5			2			2	Product detected by a:naturalintelligence:fast-xml-parser (does NOT exist in CPE dict)
flatted	0.5			1			1	Product detected by a:webreflection:flatted (does NOT exist in CPE dict)
glances	0.5			6			6	Product detected by a:nicolargo:glances (does NOT exist in CPE dict)
glibc	0.5			1			1	Product detected by a:gnu:glibc (exists in CPE dict)
go-git	0.5				1	1	2	Product detected by a:go-git_project:go-git (does NOT exist in CPE dict)
gobgp	0.5					3	3	Product detected by a:osrg:gobgp (does NOT exist in CPE dict)
grpc	0.5			1			1	Product detected by a:grpc:grpc (exists in CPE dict)
hdf5	0.5			2			2	Product detected by a:hdfgroup:hdf5 (exists in CPE dict)
htslib	0.5				10		10	Product detected by a:htslib:htslib (exists in CPE dict)
icalendar	0.5			1			1	Product detected by a:icalendar_project:icalendar (does NOT exist in CPE dict)
incus	0.5			2	2		4	Product detected by a:linuxcontainers:incus (does NOT exist in CPE dict)
jwcrypto	0.5			1			1	Product detected by a:latchset:jwcrypto (does NOT exist in CPE dict)
leaflet	0.5			1			1	Product detected by a:leafletjs:leaflet (does NOT exist in CPE dict)
libde265	0.5			2			2	Product detected by a:struktur:libde265 (exists in CPE dict)
libpng	0.5				1		1	Product detected by a:libpng:libpng (exists in CPE dict)
lodash	0.5				1	1	2	Product detected by a:lodash:lodash (exists in CPE dict)
log4cxx	0.5					1	1	Product detected by a:apache:log4cxx (exists in CPE dict)
memray	0.5			1			1	Product detected by a:bloomberg:memray (does NOT exist in CPE dict)
mesa	0.5				1		1	Product detected by a:mesa3d:mesa (exists in CPE dict)
moby	0.5				1	1	2	Product detected by a:mobyproject:moby (exists in CPE dict)
mongodb	0.5			1	1	1	3	Product detected by a:mongodb:mongodb (exists in CPE dict)
nats-server	0.5				8	5	13	Product detected by a:linuxfoundation:nats-server (exists in CPE dict)
ncurses	0.5			1			1	Product detected by a:invisible-island:ncurses (does NOT exist in CPE dict)
nginx_open_source	0.5				2		2	Product detected by a:f5:nginx_open_source (does NOT exist in CPE dict)
nix	0.5					1	1	Product detected by a:nixos:nix (does NOT exist in CPE dict)
nltk	0.5			3			3	Product detected by a:nltk:nltk (exists in CPE dict)
ocaml	0.5				1		1	Product detected by a:ocaml:ocaml (exists in CPE dict)
ollama	0.5			1			1	Product detected by a:ollama:ollama (does NOT exist in CPE dict)
onnx	0.5			2	2		4	Product detected by a:linuxfoundation:onnx (exists in CPE dict)
openexr	0.5			7			7	Product detected by a:openexr:openexr (exists in CPE dict)
ormar	0.5		1				1	Product detected by a:collerek:ormar (does NOT exist in CPE dict)
path-to-regexp	0.5				2	1	3	Product detected by a:pillarjs:path-to-regexp (does NOT exist in CPE dict)
pf4j	0.5			1			1	Product detected by a:pf4j_project:pf4j (exists in CPE dict)
picomatch	0.5				2		2	Product detected by a:jonschlinkert:picomatch (does NOT exist in CPE dict)
pjsip	0.5			1			1	Product detected by a:pjsip:pjsip (exists in CPE dict)
plexus-utils	0.5			1			1	Product detected by a:codehaus-plexus:plexus-utils (does NOT exist in CPE dict)
pydicom	0.5			1			1	Product detected by a:pydicom:pydicom (does NOT exist in CPE dict)
rack	0.5			1	4	7	12	Product detected by a:rack:rack (does NOT exist in CPE dict)
rack-session	0.5			1			1	Product detected by a:rack:rack-session (does NOT exist in CPE dict)
rails	0.5				6	1	7	Product detected by a:rubyonrails:rails (exists in CPE dict)
rdiscount	0.5			1			1	Product detected by a:dafoster:rdiscount (does NOT exist in CPE dict)
samtools	0.5				2		2	Product detected by a:samtools:samtools (does NOT exist in CPE dict)
scitokens_cpp_library	0.5		1	1			2	Product detected by a:scitokens:scitokens_cpp_library (does NOT exist in CPE dict)
serialize	0.5				1		1	Product detected by a:yahoo:serialize (does NOT exist in CPE dict)
tar	0.5			2			2	Product detected by a:isaacs:tar (does NOT exist in CPE dict)
the_sleuth_kit	0.5				3		3	Product detected by a:sleuthkit:the_sleuth_kit (exists in CPE dict)
tiemu	0.5			1			1	Product detected by a:ticalc:tiemu (does NOT exist in CPE dict)
tigervnc	0.5				1		1	Product detected by a:tigervnc:tigervnc (exists in CPE dict)
uri	0.5			1			1	Product detected by a:lambdaisland:uri (does NOT exist in CPE dict)
wolfSSL	0.5				24	3	27	wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers
wolfssl	0.5			1	1		2	Product detected by a:wolfssl:wolfssl (exists in CPE dict)
xdg-dbus-proxy	0.5					1	1	Product detected by a:flatpak:xdg-dbus-proxy (does NOT exist in CPE dict)
xml::parser	0.5				2		2	Product detected by a:toddr:xmlparser (does NOT exist in CPE dict)
yaml	0.5			1			1	Product detected by a:eemeli:yaml (does NOT exist in CPE dict)
Erlang/OTP	0.4				1		1	Erlang/OTP is a set of libraries for the Erlang programming language
Flatpak	0.4			1	2	1	4	Flatpak is a utility for software deployment and package management for Linux
GPAC	0.4			1			1	GPAC is an Open Source multimedia framework for research and academic purposes; the project covers different aspects of multimedia, with a focus on presentation technologies (graphics, animation and interactivity)
Git	0.4			1			1	Git
Gunicorn	0.4			1			1	The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface (WSGI) HTTP server
Keras	0.4				1		1	High-level neural networks API, running on top of TensorFlow, allowing model building and training
Spring Framework	0.4					1	1	The Spring Framework is an application framework and inversion of control container for the Java platform
JOSE	0.3				1		1	JavaScript module for JSON Object Signing and Encryption (JOSE)
jqlang jq	0.3				5	1	6	jq is a lightweight and flexible command-line JSON processor, allowing powerful querying and manipulation of JSON data streams.
Wasmtime	0.25				8	4	12	Standalone WebAssembly runtime written in Rust
form-data	0.25				1		1	JavaScript library for constructing multipart form-data
GitHub	0.2				1		1	GitHub, Inc. is an Internet hosting service for software development and version control using Git
libtiff	0.2				1		1	libtiff is a widely used library for reading and writing TIFF (Tagged Image File Format) files, offering tools like tiff2ps.
Unknown Product	0				32	57	89	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0	1	3	52	31	1	88
Authentication Bypass	0.98		2	13	23		38
Code Injection	0.97		1	9			10
Command Injection	0.97		1	5	3		9
Arbitrary File Writing	0.95		1				1
Security Feature Bypass	0.9		2	33	64	2	101
Server-Side Request Forgery	0.87			5	3		8
Elevation of Privilege	0.85			4	6		10
Arbitrary File Reading	0.83			2	1		3
Information Disclosure	0.83			8	18		26
Cross Site Scripting	0.8			7	10	1	18
Open Redirect	0.75			1	2		3
Denial of Service	0.7		1	27	95	6	129
Path Traversal	0.7			8	13	1	22
Incorrect Calculation	0.5			9	29	2	40
Memory Corruption	0.5			21	182	17	220
Spoofing	0.4			1	9		10
Tampering	0.3			2			2
Unknown Vulnerability Type	0				84	213	297

Source	U	C	H	M	L	A
almalinux		1	11	61	3	76
altlinux		2	42	130	22	196
debian	1	10	184	520	235	950
oraclelinux		1	12	63	5	81
redhat		1	10	59	3	73
redos		1	7	16	3	27
ubuntu		1	18	40	17	76

Urgent (1)

1. Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) - Urgent [921]

Description: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue

debian: CVE-2026-34197 was patched at 2026-04-15

Critical (11)

2. Remote Code Execution - Chromium (CVE-2026-5281) - Critical [716]

Description: Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2026-5281 was patched at 2026-04-02, 2026-04-15

3. Remote Code Execution - Cockpit (CVE-2026-4631) - Critical [690]

Description: Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

almalinux: CVE-2026-4631 was patched at 2026-04-10

debian: CVE-2026-4631 was patched at 2026-04-15

oraclelinux: CVE-2026-4631 was patched at 2026-04-10, 2026-04-14

redhat: CVE-2026-4631 was patched at 2026-04-10

4. Code Injection - GLPI (CVE-2025-66417) - Critical [639]

Description: GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.

redos: CVE-2025-66417 was patched at 2026-03-19

5. Security Feature Bypass - ormar (CVE-2026-27953) - Critical [636]

Description: ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.

debian: CVE-2026-27953 was patched at 2026-03-25

6. Remote Code Execution - Handlebars (CVE-2026-33937) - Critical [630]

Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.

debian: CVE-2026-33937 was patched at 2026-04-15

7. Arbitrary File Writing - Rust (CVE-2026-33056) - Critical [605]

Description: tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

altlinux: CVE-2026-33056 was patched at 2026-04-02

debian: CVE-2026-33056 was patched at 2026-03-25, 2026-04-15

ubuntu: CVE-2026-33056 was patched at 2026-04-01, 2026-04-13, 2026-04-14

8. Authentication Bypass - CUPS (CVE-2026-34990) - Critical [605]

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.

debian: CVE-2026-34990 was patched at 2026-04-15

9. Command Injection - Netty (CVE-2026-33870) - Critical [604]

Description: Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

debian: CVE-2026-33870 was patched at 2026-04-15

10. Authentication Bypass - scitokens_cpp_library (CVE-2026-32725) - Critical [603]

Description: SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.

debian: CVE-2026-32725 was patched at 2026-04-15

11. Security Feature Bypass - CUPS (CVE-2026-34980) - Critical [603]

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.

debian: CVE-2026-34980 was patched at 2026-04-15

12. Denial of Service - LibVNCServer (CVE-2026-32854) - Critical [601]

Description: LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.

altlinux: CVE-2026-32854 was patched at 2026-04-01, 2026-04-03

debian: CVE-2026-32854 was patched at 2026-04-15

High (207)

13. Remote Code Execution - Kvmtool (CVE-2021-45464) - High [595]

Description: kvmtool through 39181fc allows an out-of-bounds write, related to virtio/balloon.c and virtio/pci.c. This allows a guest OS user to execute arbitrary code on the host machine.

ubuntu: CVE-2021-45464 was patched at 2026-04-13

14. Remote Code Execution - tiemu (CVE-2017-20225) - High [595]

Description: TiEmu 2.08 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting inadequate boundary checks on user-supplied input. Attackers can trigger the overflow through command-line arguments passed to the application, leveraging ROP gadgets to bypass protections and execute shellcode in the application context.

debian: CVE-2017-20225 was patched at 2026-04-15

15. Elevation of Privilege - Keycloak (CVE-2026-4636) - High [594]

Description: A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned resource. Consequently, the attacker gains unauthorized permissions to victim-owned resources, enabling them to obtain a Requesting Party Token (RPT) and access sensitive information or perform unauthorized actions.

altlinux: CVE-2026-4636 was patched at 2026-04-06, 2026-04-10

16. Authentication Bypass - Node.js pbkdf2 (CVE-2026-32633) - High [591]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.

altlinux: CVE-2026-32633 was patched at 2026-04-02

debian: CVE-2026-32633 was patched at 2026-03-25

17. Authentication Bypass - rack-session (CVE-2026-39324) - High [591]

Description: Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

debian: CVE-2026-39324 was patched at 2026-04-15

ubuntu: CVE-2026-39324 was patched at 2026-04-20

18. Code Injection - glances (CVE-2026-30930) - High [589]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.

altlinux: CVE-2026-30930 was patched at 2026-04-02

19. Server-Side Request Forgery - Axios (CVE-2025-62718) - High [588]

Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

debian: CVE-2025-62718 was patched at 2026-04-15

20. Remote Code Execution - CUPS (CVE-2026-39316) - High [585]

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.

debian: CVE-2026-39316 was patched at 2026-04-15

21. Remote Code Execution - Netwide Assembler (CVE-2026-6067) - High [583]

Description: A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a malicious .asm file, potentially leading to heap memory corruption, denial of service (crash), and arbitrary code execution.

debian: CVE-2026-6067 was patched at 2026-04-15

22. Authentication Bypass - Traefik (CVE-2026-33433) - High [579]

Description: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.3, when `headerField` is configured with a non-canonical HTTP header name (e.g., `x-auth-user` instead of `X-Auth-User`), an authenticated attacker can inject their own canonical version of that header to impersonate any identity to the backend. The backend receives two header entries — the attacker-injected canonical one is read first, overriding Traefik's non-canonical write. Versions 2.11.42, 3.6.11, and 3.7.0-ea.3 patch the issue.

altlinux: CVE-2026-33433 was patched at 2026-03-27

23. Authentication Bypass - grpc (CVE-2026-33186) - High [579]

Description: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

altlinux: CVE-2026-33186 was patched at 2026-03-23, 2026-04-02, 2026-04-03, 2026-04-06

debian: CVE-2026-33186 was patched at 2026-04-15

24. Command Injection - awstats (CVE-2025-63261) - High [577]

Description: AWStats 8.0 is vulnerable to Command Injection via the open function

debian: CVE-2025-63261 was patched at 2026-03-25

25. Denial of Service - corosync (CVE-2026-35091) - High [577]

Description: A flaw was found in Corosync. A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. This vulnerability affects Corosync when running in totemudp/totemudpu mode, which is the default configuration.

debian: CVE-2026-35091 was patched at 2026-04-15

ubuntu: CVE-2026-35091 was patched at 2026-04-13

26. Security Feature Bypass - cpp-httplib (CVE-2026-34441) - High [575]

Description: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.

debian: CVE-2026-34441 was patched at 2026-04-15

27. Denial of Service - Django (CVE-2026-33033) - High [572]

Description: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

debian: CVE-2026-33033 was patched at 2026-04-15

ubuntu: CVE-2026-33033 was patched at 2026-04-07, 2026-04-09

28. Remote Code Execution - openexr (CVE-2026-34545) - High [571]

Description: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.

debian: CVE-2026-34545 was patched at 2026-04-15

29. Denial of Service - strongSwan (CVE-2026-25075) - High [570]

Description: strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.

debian: CVE-2026-25075 was patched at 2026-03-23, 2026-03-25

ubuntu: CVE-2026-25075 was patched at 2026-03-23

30. Authentication Bypass - nltk (CVE-2026-33231) - High [567]

Description: NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. Commit bbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue.

altlinux: CVE-2026-33231 was patched at 2026-03-26, 2026-04-08

debian: CVE-2026-33231 was patched at 2026-03-25

31. Authentication Bypass - scitokens_cpp_library (CVE-2026-32726) - High [567]

Description: SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.

debian: CVE-2026-32726 was patched at 2026-04-15

32. Denial of Service - GNU C Library (CVE-2026-4046) - High [567]

Description: The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

debian: CVE-2026-4046 was patched at 2026-04-15

33. Path Traversal - CUPS (CVE-2026-34978) - High [567]

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.

debian: CVE-2026-34978 was patched at 2026-04-15

34. Security Feature Bypass - Safari (CVE-2026-20643) - High [567]

Description: A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.

debian: CVE-2026-20643 was patched at 2026-04-15

35. Code Injection - Handlebars (CVE-2026-33938) - High [566]

Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.

debian: CVE-2026-33938 was patched at 2026-04-15

36. Code Injection - Handlebars (CVE-2026-33940) - High [566]

Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to `env.compile()`. Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). Without `compile()`, the fallback compilation path in `invokePartial` is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups (`{{> (lookup ...)}}`) when context data is user-controlled.

debian: CVE-2026-33940 was patched at 2026-04-15

37. Code Injection - dynaconf (CVE-2026-33154) - High [566]

Description: dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.

debian: CVE-2026-33154 was patched at 2026-03-25

38. Code Injection - glances (CVE-2026-32611) - High [566]

Description: Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.

altlinux: CVE-2026-32611 was patched at 2026-04-02

debian: CVE-2026-32611 was patched at 2026-03-25

39. Elevation of Privilege - QEMU (CVE-2026-33711) - High [566]

Description: Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screenshots. That API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As versions prior to 6.23.0 use predictable paths under /tmp for this, an attacker with local access to the system can abuse this mechanism by creating their own symlinks ahead of time. On the vast majority of Linux systems, this will result in a "Permission denied" error when requesting a screenshot. That's because the Linux kernel has a security feature designed to block such attacks, `protected_symlinks`. On the rare systems with this purposefully disabled, it's then possible to trick Incus intro truncating and altering the mode and permissions of arbitrary files on the filesystem, leading to a potential denial of service or possible local privilege escalation. Version 6.23.0 fixes the issue.

debian: CVE-2026-33711 was patched at 2026-04-15

redos: CVE-2026-33711 was patched at 2026-04-20

40. Path Traversal - pf4j (CVE-2025-70952) - High [565]

Description: pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

debian: CVE-2025-70952 was patched at 2026-04-15

41. Security Feature Bypass - rack (CVE-2026-34835) - High [565]

Description: Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.

debian: CVE-2026-34835 was patched at 2026-04-15

ubuntu: CVE-2026-34835 was patched at 2026-04-17

42. Security Feature Bypass - wolfssl (CVE-2026-5194) - High [565]

Description: Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA certificate-based authentication if the public CA key used is also known. This affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled.

debian: CVE-2026-5194 was patched at 2026-04-15

43. Information Disclosure - cpp-httplib (CVE-2026-33745) - High [562]

Description: cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.

debian: CVE-2026-33745 was patched at 2026-04-15

44. Denial of Service - systemd (CVE-2026-39314) - High [557]

Description: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.

debian: CVE-2026-39314 was patched at 2026-04-15

45. Denial of Service - GIFLIB (CVE-2026-26740) - High [553]

Description: Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size.

debian: CVE-2026-26740 was patched at 2026-03-25

46. Denial of Service - corosync (CVE-2026-35092) - High [553]

Description: A flaw was found in Corosync. An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. This vulnerability specifically affects Corosync deployments configured to use totemudp/totemudpu mode.

debian: CVE-2026-35092 was patched at 2026-04-15

ubuntu: CVE-2026-35092 was patched at 2026-04-13

47. Arbitrary File Reading - onnx (CVE-2026-27489) - High [552]

Description: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.

debian: CVE-2026-27489 was patched at 2026-04-15

48. Information Disclosure - Node.js pbkdf2 (CVE-2026-32609) - High [552]

Description: Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.

altlinux: CVE-2026-32609 was patched at 2026-04-02

debian: CVE-2026-32609 was patched at 2026-03-25

49. Remote Code Execution - Axios (CVE-2026-40175) - High [552]

Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.

debian: CVE-2026-40175 was patched at 2026-04-15

50. Open Redirect - uri (CVE-2023-28628) - High [550]

Description: lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2023-28628 was patched at 2026-04-15

ubuntu: CVE-2023-28628 was patched at 2026-04-06

51. Server-Side Request Forgery - distribution (CVE-2026-33540) - High [548]

Description: Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.

debian: CVE-2026-33540 was patched at 2026-04-15

52. Remote Code Execution - hdf5 (CVE-2026-29043) - High [547]

Description: HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition in the H5T__ref_mem_setnull method. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems.

debian: CVE-2026-29043 was patched at 2026-04-15

53. Information Disclosure - Libsoup (CVE-2026-5119) - High [545]

Description: A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.

debian: CVE-2026-5119 was patched at 2026-04-15

54. Server-Side Request Forgery - Calibre (CVE-2026-33205) - High [545]

Description: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitrary URLs and exfiltrate information out from the ebook sandbox. Version 9.6.0 patches the issue.

debian: CVE-2026-33205 was patched at 2026-04-15

55. Server-Side Request Forgery - Calibre (CVE-2026-33206) - High [545]

Description: calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a path traversal vulnerability exists in Calibre' handling of images in Markdown and other similar text-based files allowing an attacker to include arbitrary files from the file system into the converted book. Additionally, missing authentication and server-side request forgery in the background-image endpoint in the ebook reader web view allow the files to be exfiltrated without additional interaction. Version 9.6.0 contains a fix.

debian: CVE-2026-33206 was patched at 2026-04-15

56. Elevation of Privilege - glances (CVE-2026-33641) - High [544]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.

altlinux: CVE-2026-33641 was patched at 2026-04-02

debian: CVE-2026-33641 was patched at 2026-04-15

57. Information Disclosure - systemd (CVE-2026-40228) - High [544]

Description: In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set.

debian: CVE-2026-40228 was patched at 2026-04-15

58. Memory Corruption - GNU C Library (CVE-2026-4437) - High [544]

Description: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

debian: CVE-2026-4437 was patched at 2026-03-25

59. Denial of Service - dokuwiki (CVE-2026-26477) - High [541]

Description: An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file

debian: CVE-2026-26477 was patched at 2026-04-15

60. Denial of Service - ollama (CVE-2025-15514) - High [541]

Description: Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of service condition where the model becomes unavailable to all users until the service is restarted.

altlinux: CVE-2025-15514 was patched at 2026-04-08

61. Information Disclosure - LibVNCServer (CVE-2026-32853) - High [541]

Description: LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

altlinux: CVE-2026-32853 was patched at 2026-04-01, 2026-04-03

debian: CVE-2026-32853 was patched at 2026-04-15

62. Information Disclosure - openexr (CVE-2026-34543) - High [541]

Description: OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.

debian: CVE-2026-34543 was patched at 2026-04-15

63. Security Feature Bypass - Traefik (CVE-2026-32695) - High [541]

Description: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik's Knative provider builds router rules by interpolating user-controlled values into backtick-delimited rule expressions without escaping. In live cluster validation, Knative `rules[].hosts[]` was exploitable for host restriction bypass (for example `tenant.example.com`) || Host(`attacker.com`), producing a router that serves attacker-controlled hosts. Knative `headers[].exact` also allows rule-syntax injection and proves unsafe rule construction. In multi-tenant clusters, this can route unauthorized traffic to victim services and lead to cross-tenant traffic exposure. Versions 3.6.11 and 3.7.0-ea.2 patch the issue.

altlinux: CVE-2026-32695 was patched at 2026-03-27

64. Security Feature Bypass - glances (CVE-2026-32634) - High [541]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

altlinux: CVE-2026-32634 was patched at 2026-04-02

debian: CVE-2026-32634 was patched at 2026-03-25

65. Memory Corruption - Apache Tomcat (CVE-2026-29146) - High [539]

Description: Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

debian: CVE-2026-29146 was patched at 2026-04-15

66. Cross Site Scripting - Starlette (CVE-2026-32610) - High [535]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.

altlinux: CVE-2026-32610 was patched at 2026-04-02

debian: CVE-2026-32610 was patched at 2026-03-25

67. Denial of Service - FreeRDP (CVE-2026-33952) - High [534]

Description: FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, an unvalidated auth_length field read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(), causing any FreeRDP client connecting through a malicious RDP Gateway to crash with SIGABRT. This is a pre-authentication denial of service affecting all FreeRDP clients using RPC-over-HTTP gateway transport. The assertion is active in default release builds (WITH_VERBOSE_WINPR_ASSERT=ON). This issue has been patched in version 3.24.2.

altlinux: CVE-2026-33952 was patched at 2026-04-14, 2026-04-15

debian: CVE-2026-33952 was patched at 2026-04-15

68. Denial of Service - gdk-pixbuf (CVE-2026-5201) - High [534]

Description: A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.

debian: CVE-2026-5201 was patched at 2026-04-11, 2026-04-15

ubuntu: CVE-2026-5201 was patched at 2026-04-08

69. Denial of Service - Handlebars (CVE-2026-33939) - High [529]

Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.

debian: CVE-2026-33939 was patched at 2026-04-15

70. Denial of Service - UltraJSON (CVE-2026-32875) - High [529]

Description: UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.

debian: CVE-2026-32875 was patched at 2026-03-25

71. Denial of Service - deepdiff (CVE-2026-33155) - High [529]

Description: DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.

debian: CVE-2026-33155 was patched at 2026-03-25

72. Information Disclosure - glances (CVE-2026-33533) - High [529]

Description: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.

altlinux: CVE-2026-33533 was patched at 2026-04-02

debian: CVE-2026-33533 was patched at 2026-04-15

73. Cross Site Scripting - Handlebars (CVE-2026-33941) - High [523]