github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: jtidy (UTSA-2026-021487)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021487 advisory. An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies...

CVE-2026-7814

Summary: CVE-2026-7814 is a stored XSS in pgAdmin 4’s Browser Tree and Explain Visualizer. User-controlled PostgreSQL object names (database, schema, table, column, etc.) were inserted into the DOM via innerHTML, enabling crafted names with HTML markup to execute attacker-supplied JavaScript in a...

CVE-2026-44126 Insecure deserialization

SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object...

com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects

A flaw was found in mchange-commons-java, a Java utility library. An attacker can exploit this vulnerability by providing a maliciously crafted javax.naming.Reference or serialized object to an application using the library. This can provoke the application to download and execute arbitrary...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the read process of the OBJ file parser when handling crafted OBJ files. An attacker can cause a denial of service or obtain sensitive information by persuading a victim to open a specially crafted OBJ file that...

EUVD-2026-26600

A heap-based out-of-bounds read vulnerability in RWObjReader::read in the OBJ file parser in Open CASCADE Technology OCCT V800rc5 allows user-assisted attackers to cause a denial of service or obtain sensitive information by persuading a victim to open a crafted OBJ file. The issue occurs because...

CVE-2026-33940 Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the...

GHSA-XHPV-HC6G-R9C6 Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Summary A crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile...

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Summary A crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile...

OESA-2026-1657 jtidy security update

JTidy is the Java port for HTML Tidy, which is an HTML syntax checker and a nice printer. JTidy can be used as a tool to clean up misformatted HTML. In addition, JTidy provides a DOM interface to the documents being processed, effectively enabling you to use JTidy as a DOM parser for real HTML...

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the initializesections function of the Object File Handler. An attacker can execute arbitrary code or cause a denial of service by providing specially crafted object files to the application during local...

Kentico Xperience cross-site scripting vulnerability (CNVD-2026-05124)

Kentico Xperience is a digital experience platform from Kentico. Kentico Xperience suffers from a cross-site scripting vulnerability that can be exploited by an attacker to inject malicious script via an error message containing a specially crafted object name...

CVE-2020-36889 Kentico Xperience <= 12.0.90 Administration Interface Stored XSS

A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users' browsers when administrators view error messages in the administration...

EUVD-2020-20053

Malware in sbrugna...

EUVD-2023-1710

Malicious code in bioql PyPI...

libdwarf before 20201017 has a one-byte out-of-bounds read because of an invalid pointer dereference via an invalid line table in a crafted object.

...

DEBIAN-CVE-2025-8715

Improper neutralization of newlines in pgdump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection in the restore process via psql meta-commands inside a purpose-crafted object name. An attacker can execute arbitrary code by injecting meta commands into the file, which can be executed by an unknowing user during the...