71 matches found
CVE-2026-32766
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser...
CVE-2026-32766 astral-tokio-tar insufficiently validates PAX extensions during extraction
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser...
CVE-2026-32766
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser...
astral-tokio-tar 安全漏洞
astral-tokio-tar is an open-source Rust library developed by Astral. Versions of astral-tokio-tar 0.5.6 and earlier contain security vulnerabilities. These vulnerabilities stem from a silent skipping of format-errors PAX extensions during the parsing of tar archives. Such behavior could potential...
astral-tokio-tar insufficiently validates PAX extensions during extraction
Impact In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by having...
CVE-2025-13889
The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
EUVD-2025-203014
The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-13889
CVE-2025-13889 : The Simple Nivo Slider WordPress plugin is vulnerable to a stored XSS via the shortcodes’ id parameter in all versions up to 0.5.6 due to insufficient input sanitization and output escaping. The issue requires authentication: attackers with Contributor-level access or higher can ...
CVE-2025-13889 Simple Nivo Slider <= 0.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-13889 Simple Nivo Slider <= 0.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
WordPress plugin Simple Nivo Slider 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin... A cross-site scripti...
CVE-2025-67489
@vitejs/plugin-rs provides React Server Components RSC support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs loadServerAction, decodeReply, decodeAction when integrated into RSC...
CVE-2025-67489 @vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
@vitejs/plugin-rs provides React Server Components RSC support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs loadServerAction, decodeReply, decodeAction when integrated into RSC...
PT-2025-50276
Name of the Vulnerable Software and Affected Versions @vitejs/plugin-rs versions 0.5.5 and below Description The @vitejs/plugin-rs software, which provides React Server Components RSC support for Vite, contains a flaw that could allow for arbitrary remote code execution on the development server...
Arbitrary Code Injection
Overview @vitejs/plugin-rsc is a React Server Components RSC support for Vite. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe dynamic imports in the loadServerAction, decodeReply, and decodeAction server APIs. An attacker can execute arbitrary JavaScript...
CVE-2025-62161
Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...
CVE-2025-62161
Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...
youki 安全漏洞
youki is a youki open source implementation of the OCI runtime specification in Rust. A security vulnerability exists in youki version 0.5.6 and earlier, which stems from insufficient validation of the write target by the apparmor handler, which in combination with path substitution during pathna...
CVE-2025-62161 youki container escape via "masked path" abuse due to mount race conditions
Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7...
CVE-2025-62161
Summary: CVE-2025-62161 affects Youki container runtime prior to v0.5.7, where the initial validation of the host path /dev/null is insufficient when Youki bind-mounts the container’s /dev/null as a mask. This race/validation flaw can enable container escape under bind-mmount scenarios. Root caus...