Network Services Group

Network Services Group https://validator.w3.org/feed/docs/rss2.html Blog How VoIP helps remote teams work smarter Use Viva Insights to build a more productive team Microsoft Edge features that help you work smarter in 2026 Practical strategies for securing your corporate Windows webcams Should you use private browsing to protect your data? How hospitals can keep thousands of connected devices secure Why identity is the new internal highway for cyberattacks Optimizing desktop and laptop settings for eco-friendly computing How SaaS helps SMBs save money and work more efficiently CVE-2026-34182 CMS AuthEnvelopedData Processing May Accept Forged Messages Welcome to Network Services Group CVE-2026-54411 Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext. Chromium: CVE-2026-11700 Use after free in Tracing Chromium: CVE-2026-11699 Use after free in Bluetooth Chromium: CVE-2026-11698 Use after free in Bluetooth Chromium: CVE-2026-11697 Insufficient validation of untrusted input in UI Chromium: CVE-2026-11696 Uninitialized Use in Video Chromium: CVE-2026-11695 Inappropriate implementation in Passwords Chromium: CVE-2026-11694 Use after free in ServiceWorker Chromium: CVE-2026-11693 Inappropriate implementation in Plugins Chromium: CVE-2026-11692 Use after free in Read Anything Chromium: CVE-2026-11691 Insufficient validation of untrusted input in New Tab Page Chromium: CVE-2026-11690 Out of bounds read and write in Media Chromium: CVE-2026-11689 Insufficient validation of untrusted input in Passwords Chromium: CVE-2026-11688 Object lifecycle issue in SVG Chromium: CVE-2026-11687 Use after free in Dawn Chromium: CVE-2026-11686 Insufficient validation of untrusted input in Dawn Chromium: CVE-2026-11685 Insufficient data validation in MediaCapture Chromium: CVE-2026-11684 Insufficient policy enforcement in Network Chromium: CVE-2026-11683 Use after free in WebCodecs CVE-2026-21717 A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2025-23167 A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `rnrX` instead of the required `rnrn`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. Transforming online retail through cloud order management systems CVE-2026-39829 Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh CVE-2026-39821 Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh CVE-2024-36137 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the –allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. CVE-2024-22018 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the –allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2026-40034 gitoxide – Command Injection via Partial .gitmodules Override in gix-submodule CVE-2026-44839 RabbitMQ: Unsanitized vhost names allow for XSS in management UI CVE-2025-15649 IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date CVE-2026-48962 IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob CVE-2026-28387 Potential Use-after-free in DANE Client Code CVE-2026-28388 NULL Pointer Dereference When Processing a Delta CRL CVE-2026-34874 An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0. CVE-2026-41054 Missing exit out of permission check in haveged could lead to root exploit Keep your Mac safe from modern ransomware threats How MTD boosts Android devices’ security