Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to regular expression denial of service (ReDoS) due to the transformers package (CVE-2025-2099)

Summary The transformers package is used by DataStage on Cloud Pak for Data as part of machine learning processing. Vulnerability Details CVEID:CVE-2025-2099 DESCRIPTION: A vulnerability in the preprocessstring function of the transformers.testingutils module in huggingface/transformers version...

CVE-2099-0001

creationtimestamp| type| source ---|---|--- 2026-04-20 07:08:11+00:00| seen| https://gist.github.com/KursatBB/7be1e57b5ab50dc717e7c8d1372da337...

CVE-2021-2099

Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite component: Preferences. Supported versions that are affected are 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle CRM Technical...

EUVD-2023-12912

Malicious code in bioql PyPI...

EUVD-2022-2099

Malicious code in bioql PyPI...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to transformers-4.48.0-py3-none-any.whl CVE-2025-2099

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to transformers-4.48.0-py3-none-any.whl CVE-2025-2099. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-2099 DESCRIPTION: A vulnerability in the preprocessstring...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers [CVE-2025-2099]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers, due to an issue where the regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large...

3m (=0.1.0), aaa-ml-datasets-course (=1.0.0) +1681 more potentially affected by CVE-2025-2099 via transformers (>=2.10.0 <=4.4.2)

transformers PYPI version =2.10.0, =0.1.0, =0.1.1, =0.1.0, =0.0.3, =0.0.1, =0.0.0.dev20230804, =0.1.0, =0.3.0, =0.1.0, =0.2.5, =0.0.1, =0.1.2 and more Source cves: CVE-2025-2099 Source advisory: OSV:GHSA-QQ3J-4F4F-9583...

3m (=0.1.0), aaa-ml-datasets-course (=1.0.0) +1614 more potentially affected by CVE-2025-2099 via transformers (>=2.10.0 <=4.48.3)

transformers PYPI version =2.10.0, =0.1.0, =0.1.1, =0.1.0, =0.0.3, =0.0.1, =0.0.0.dev20230804, =0.1.0, =0.3.0, =0.1.0, =0.2.5, =0.0.1, =0.1.2 and more Source cves: CVE-2025-2099 Source advisory: OSV:PYSEC-2025-40...

CVE-2025-2099

A vulnerability in the preprocessstring function of the transformers.testingutils module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service ReDoS attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leadin...

CVE-2025-2099 Regular Expression Denial of Service (ReDoS) in huggingface/transformers

A vulnerability in the preprocessstring function of the transformers.testingutils module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service ReDoS attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leadin...

Linux Distros Unpatched Vulnerability : CVE-2016-2099

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impa...

RHEL 6 : xerces-c (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - xerces-c: Use-after-free in heap on specially crafted XML input CVE-2016-2099 - internal/XMLReader.cpp in...

RHEL 7 : xerces-c (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - xerces-c: Use-after-free in heap on specially crafted XML input CVE-2016-2099 Note that Nessus has not tested for...

RHEL 7 : xerces-c (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - xerces-c: Use-after-free in heap on specially crafted XML input CVE-2016-2099 Note that Nessus has not tested for...

Ubuntu 16.04 ESM / 18.04 ESM : Xerces-C++ vulnerabilities (USN-4784-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4784-1 advisory. It was discovered that Xerces-C++ XML Parser mishandles certain kinds of external DTD references, resulting in a user-after-free. An attacker...

Oracle Linux 7 : samba (ELSA-2019-2099)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2019-2099 advisory. - resolves: 1696524 - Fix CVE-2019-3880 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus...

CVE-2023-0925

Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry listening on TCP port 2099 by default and two RMI interfaces listening on a single, dynamically assigned TCP high port. Port 2099 serves as a Java Remote Method Invocation RMI...

Huawei EulerOS: Security Advisory for rsync (EulerOS-SA-2023-2099)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-2099

CVE-2023-2099 affects SourceCodester Vehicle Service Management System v1.0. The vulnerability is a cross-site scripting flaw in an unknown part of /classes/Users.php where manipulating the id parameter triggers XSS. The issue can be exploited remotely and has publicly disclosed exploits (VDB-226...