CVE-2026-11785
A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address informat
CVSS
4.3
Medium
EPSS
0.2%
p8
KEV
—
Exploit Today
2
0-100
Published: Jun 9, 2026 · Last modified: Jun 30, 2026 · CWE-843
0.2%EPSS · 30 days0.2%
2026-06-302026-07-17
A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-105859.8 CRI91.8%
KEV—78Google Chromium V8 Type Confusion Vulnerability3dCVE-2025-132238.8 HIG91.1%
KEV—77Google Chromium V8 Type Confusion Vulnerability3dCVE-2026-217107.5 HIG97.8%
——29A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**3dCVE-2026-59467.5 HIG76.2%
——23Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.3dCVE-2026-339379.8 CRI75.8%
——23Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.3dCVE-2026-571087.5 HIG61.9%
——19Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network.3d