CVE-2026-39821 affecting package vitess for versions less than 19.0.4-10

CVE-2026-39821 affecting package vitess for versions less than 19.0.4-10. A patched version of the package is available...

CVE-2026-23869

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. The vulnerability is triggered ...

CVE-2025-11065 affecting package vitess for versions less than 19.0.4-9

CVE-2025-11065 affecting package vitess for versions less than 19.0.4-9. A patched version of the package is available...

CVE-2026-27969 affecting package vitess for versions less than 19.0.4-8

CVE-2026-27969 affecting package vitess for versions less than 19.0.4-8. A patched version of the package is available...

AZL-75560 CVE-2025-11065 affecting package vitess 19.0.4-7

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in...

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttli...

AZL-57324 CVE-2025-22868 affecting package vitess for versions less than 19.0.4-5

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing...

AZL-56066 CVE-2024-45339 affecting package vitess for versions less than 19.0.4-4

When logs are written to a widely-writable directory the default, an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that...

CVE-2023-45288 affecting package vitess for versions less than 19.0.4-2

CVE-2023-45288 affecting package vitess for versions less than 19.0.4-2. An upgraded version of the package is available that resolves this issue...

CVE-2024-24786 affecting package vitess for versions less than 19.0.4-2

CVE-2024-24786 affecting package vitess for versions less than 19.0.4-2. An upgraded version of the package is available that resolves this issue...

CVE-2024-32886 Vitess vulnerable to infinite memory consumption and vtgate crash

Vitess is a database clustering system for horizontal scaling of MySQL. When executing the following simple query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will run out of memory. This vulnerability is fixed in 19.0.4, 18.0.5, and 17.0.7...

AZL-35674 CVE-2024-24786 affecting package vitess for versions less than 19.0.4-2

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set...

AZL-35348 CVE-2023-3978 affecting package vitess for versions less than 19.0.4-2

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

Input validation

Nozomi Networks OS before 19.0.4 allows //network?tab=networknodelist.html CSV Injection...

CVE-2020-15307

Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS in the web front end by leveraging the ability to create a custom field with a crafted field name...

CVE-2020-15307

Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS in the web front end by leveraging the ability to create a custom field with a crafted field name...

CVE-2020-15307

Nozomi Guardian before 19.0.4 allows attackers to achieve stored XSS in the web front end by leveraging the ability to create a custom field with a crafted field name...

Cross-site request forgery attack on change password form

Summary Change password doesn't validate CSRF token properly. Impact An attacker can force the victim to change password without knowing. To successfully complete this attack the victim needs to be logged to the Guardian/CMC and visit a special prepared page containing the forged change password...