BitlBee before 3.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a file transfer request for a contact that is not in the contact list.
examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
The process_otr function in bfd/versados.c in the Binary File Descriptor library , as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor library , as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.
Cross-site scripting vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.
Cross-site request forgery vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
The transit path validation code in Heimdal before 7.3 might allow attackers to bypass the capath policy protection mechanism by leveraging failure to add the previous hop realm to the transit path of issued tickets.