VYPR

CVEs

38,009 total · page 2 of 761

  • CVE-2026-55849higJun 19, 2026
    risk 0.38cvss epss

    ## Summary A command injection vulnerability exists in `@cyclonedx/cyclonedx-npm` when the CLI is invoked with the `--workspace ` option while the environment variable `npm_execpath` is unset or empty. User‑supplied `--workspace` values are passed to a subshell…

  • CVE-2026-54904higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary `Concurrent::AtomicReference#update` can enter a permanent busy retry loop when the current value is `Float::NAN`. The issue is caused by the interaction between: - `AtomicReference#update`, which retries until `compare_and_set(old_value, new_value)` succeeds. -…

  • CVE-2026-54903higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj.load` is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in `buf_append_string` (`buf.h:61`) converts the string length to a large negative `size_t`, causing `memcpy` to copy an astronomically large amount of data…

  • CVE-2026-54902higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj::Parser` in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside `hash_end` can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to…

  • CVE-2026-54901higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj::Parser` in usual mode does not mark `array_class` and `hash_class` references during garbage collection. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent…

  • CVE-2026-54900higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable to heap corruption via a negative-size `memcpy`. When a JSON object key is exactly 65,535 bytes long, an integer truncation in `form_attr` (`usual.c:63`) converts the length to `-1` before…

  • CVE-2026-54784higJun 19, 2026
    risk 0.38cvss epss

    ### Impact When the proof key recovered from the RSTR can be observed by a party that is not the legitimate client, that party can impersonate the authenticated Windows principal for the lifetime of the SCT (default ~10 hours) and decrypt or forge any subsequent…

  • CVE-2026-54783higJun 19, 2026
    risk 0.38cvss epss

    ### Impact The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays…

  • CVE-2026-54781higJun 19, 2026
    risk 0.38cvss epss

    ### Impact The relying application is given a ClaimsPrincipal for a subject whose authority over the assertion the sender never proved. There are two distinct exploit shapes: - Holder-of-key downgrade. An attacker who obtains a holder-of-key SAML assertion that was issued…

  • CVE-2026-54774higJun 19, 2026
    risk 0.38cvss epss

    ### Impact When a service is configured to validate SAML tokens using a method other than X.509 certificate signing, the final signature verification is skipped. #### Preconditions The service is configured to authenticate using SAML tokens and an out of band token resolver…

  • CVE-2026-54772higJun 19, 2026
    risk 0.38cvss epss

    ### Impact An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted. #### Preconditions An attacker being able to reach a service which is exposing an endpoint using one of…

  • CVE-2026-54898higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj::Parser#parse` is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw `const byte *` pointer into the Ruby string's internal buffer. If a callback (e.g. `hash_start`) resizes the…

  • CVE-2026-54897higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls `doc.close` or `d.close`, the document's heap memory is freed while the C iterator is still running. When control…

  • CVE-2026-54896higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj.dump` in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large `:indent` value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With…

  • CVE-2026-54592higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. ### Details Two-step chain in `ext/oj/fast.c`: 1.…

  • CVE-2026-54528higJun 19, 2026
    risk 0.38cvss epss

    ## Summary `jupyterlab-git` 0.53.0 (latest, 2026-04-30) uses `fnmatch.fnmatchcase()` in `GitHandler.prepare()` (`jupyterlab_git/handlers.py:91`) to enforce the admin-configured `excluded_paths` security control. Because `fnmatchcase` is unconditionally case-sensitive, an…

  • CVE-2026-54527higJun 19, 2026
    risk 0.38cvss epss

    Overview Amazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the PlainTextDiff.ts component, where the createHeader() method…

  • CVE-2026-54499higJun 19, 2026
    risk 0.38cvss epss

    ### Summary Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using `torch.load(..., weights_only=True)`, but automatically falls back to the fully unsafe `torch.load(..., weights_only=False)` when the safe load raises `pickle.UnpicklingError`. Because the…

  • CVE-2026-54317higJun 19, 2026
    risk 0.45cvss epss 0.00

    ### Summary The Konnected integration registers an HTTP endpoint, `KonnectedView` (`homeassistant/components/konnected/__init__.py`), that is marked as **not requiring authentication** (`requires_auth = False`). A comment next to that line says auth is instead handled "via the…

  • CVE-2026-54297higJun 19, 2026
    risk 0.38cvss epss 0.00

    # Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters ## Summary `Faraday::NestedParamsEncoder`, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum…

  • CVE-2026-53492higJun 19, 2026
    risk 0.38cvss epss

    ### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations…

  • CVE-2026-53489higJun 19, 2026
    risk 0.38cvss epss

    ### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the…

  • CVE-2026-53488higJun 19, 2026
    risk 0.38cvss epss

    ### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels…

  • CVE-2026-54502higJun 19, 2026
    risk 0.45cvss epss

    ### Summary `Oj.dump` is vulnerable to a stack-based buffer overflow when a large `:indent` value is provided by the developer. `fill_indent` in `dump.h` calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating the size. When `opts->indent` is set to `INT_MAX`…

  • CVE-2026-54899higJun 19, 2026
    risk 0.45cvss epss

    ### Summary Disabling `symbol_keys` on a reused `Oj::Parser` instance triggers a heap use-after-free. When `symbol_keys` is toggled from `true` to `false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`) but does not clear the pointer. The next `parse` call…

  • CVE-2026-23879higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library…

  • CVE-2026-55773higJun 19, 2026
    risk 0.38cvss epss

    ### Summary CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow policy injection. ### Impact **Cedar-expression injection via unescaped…

  • CVE-2026-55772higJun 19, 2026
    risk 0.45cvss epss

    ### Summary CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow type confusion across the Java-Rust FFI boundary. ### Impact …

  • CVE-2026-55883higJun 19, 2026
    risk 0.38cvss epss

    ## Summary The Tilt HUD WebSocket (`/ws/view`) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an `Origin` header. When the HUD is network-exposed, an attacker can open the HUD stream and read the…

  • CVE-2026-55882higJun 19, 2026
    risk 0.38cvss epss

    ## Summary The Tilt HUD server mounts Go's `net/http/pprof` handlers under `/debug` with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. ## Details A…

  • CVE-2026-54695higJun 18, 2026
    risk 0.38cvss epss

    ## Development Runner Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID ### Summary The pipecat development runner registers a `/ws` WebSocket endpoint for telephony testing that accepts connections without any authentication. An…

  • CVE-2026-54005higJun 18, 2026
    risk 0.38cvss epss

    ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of…

  • CVE-2026-54002higJun 18, 2026
    risk 0.38cvss epss

    ### TL;DR This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or…

  • CVE-2026-49276higJun 18, 2026
    risk 0.45cvss epss

    ### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly…

  • CVE-2026-55672higJun 18, 2026
    risk 0.38cvss epss

    ### Summary Zitadel's OAuth2 / OIDC `CodeExchange` and `RefreshToken` implementations omit a critical validation step to ensure that the requesting client matches the client that originally initiated the authorization flow. This violates RFC 6749 Section 4.1.3, which mandates…

  • CVE-2026-55603higJun 18, 2026
    risk 0.38cvss epss 0.00

    ## Summary `fixRequestBody()` is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates…

  • CVE-2026-55388higJun 18, 2026
    risk 0.38cvss epss 0.00

    ## Summary `piscina`'s constructor and `run()` paths read the `filename` option via plain member access: ```js // dist/index.js line 92 (constructor) const filename = options.filename ? (0, common_1.maybeFileURLToPath)(options.filename) : null; this.options = {…

  • CVE-2026-55887higJun 18, 2026
    risk 0.38cvss epss

    ## Summary A maliciously crafted OCI image label can inject arbitrary arguments into the `docker run` command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via `docker://`, or that the victim's catalog pulls a snapshot from,…

  • CVE-2026-55229higJun 18, 2026
    risk 0.38cvss epss

    **Summary** Server-Side Request Forgery (SSRF) vulnerability affecting the `/forms/libreoffice/convert` endpoint in Gotenberg v8.33.0 running with the default configuration. By uploading a specially crafted DOCX document, an attacker can cause LibreOffice to automatically…

  • CVE-2026-12921higJun 18, 2026
    risk 0.51cvss 7.8epss 0.00

    In AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

  • CVE-2026-12390higJun 18, 2026
    risk 0.51cvss 7.8epss 0.00

    In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

  • CVE-2026-8806higJun 18, 2026
    risk 0.49cvss 7.5epss 0.00

    Expected Behavior Violation (CWE-440) vulnerability exists in MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP. This vulnerability could allow a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number…

  • CVE-2026-8805higJun 18, 2026
    risk 0.49cvss 7.5epss 0.00

    An integer overflow or wraparound vulnerability exists in the EtherNet/IP function of MELSEC iQ-F Series EtherNet/IP module. This vulnerability could allow a remote attacker to cause a denial-of-service condition in the affected product by rapidly establishing a large number of…

  • CVE-2026-55470higJun 17, 2026
    risk 0.38cvss epss

    ## Summary The fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still…

  • CVE-2026-55760higJun 17, 2026
    risk 0.38cvss epss

    ### Impact Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path…

  • CVE-2026-55409higJun 17, 2026
    risk 0.38cvss epss 0.00

    In Filament v3, a disabled `RichEditor` field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes…

  • CVE-2026-55405higJun 17, 2026
    risk 0.45cvss epss

    ### Summary The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter **keys** (and, in MariaDB, string **values**) directly into the query without adequate escaping. A crafted metadata key in `EmbeddingSearchRequest.filter()` can break…

  • CVE-2026-28737higJun 17, 2026
    risk 0.45cvss epss

    ## Summary Me again. Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing…

  • CVE-2026-24791higJun 17, 2026
    risk 0.38cvss epss

    ## Summary Many authenticated self routes under `/api/v1/user/...` do not enforce the `public-only` token restriction. As a result, a token or OAuth grant marked `public-only`, but otherwise carrying the route-required read/write scope category, can access or modify private…

  • CVE-2026-22555higJun 17, 2026
    risk 0.38cvss epss

    ## Summary The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks `IsOrgMember()` when a user forks a repository into an organization, but does not check `CanCreateOrgRepo()`. The web UI fork handler correctly checks both. This allows a read-only organization…