130 matches found
DEBIAN-CVE-2026-54592
Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in...
UBUNTU-CVE-2026-54592
Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in...
CVE-2026-54592 Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input
Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in...
CVE-2026-54592
Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in...
Allocation of Resources Without Limits or Throttling
Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the...
protobufjs: Denial of service through unbounded Any expansion during JSON conversion
Summary protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject conversion and the custom google.protobuf.Any JSON conversion path. A crafted protobuf binary payload containing deeply nested Any values could cause...
CVE-2026-46373
Affected software: SQLFluff (SQL linter/formatter) with parsers for multiple dialects. Vulnerability: In versions before 4.1.0, an untrusted user can submit deeply nested SQL queries that trigger a Denial of Service through resource exhaustion when parsed. Root cause: recursive/stack-based parsin...
CVE-2026-42358
A bug in Apache Airflow's Variable response masker caused nested-key redaction triggered by secret-suffixed key names like password, token, secret, apikey to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nest...
CVE-2026-42358
A bug in Apache Airflow's Variable response masker caused nested-key redaction triggered by secret-suffixed key names like password, token, secret, apikey to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nest...
EUVD-2026-33589
A bug in Apache Airflow's Variable response masker caused nested-key redaction triggered by secret-suffixed key names like password, token, secret, apikey to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nest...
CVE-2026-42358
Summary (CVE-2026-42358): In Apache Airflow, the Variable response masker can bypass nested-key redaction when JSON values are deeply nested. Keys ending with secret-like suffixes (password, token, secret, api_key) could have their plaintext values exposed if nesting depth exceeds the masker's re...
PT-2026-45370
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description A bug in the Variable response masker allows the bypass of nested-key redaction when the nesting depth of a JSON value exceeds the recursion limit of the shared secrets masker. This occurs wit...
SUSE CVE-2026-42328
go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...
OESA-2026-2427 jq security update
jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want. Security Fixes: jq is ...
OESA-2026-2426 jq security update
jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want. Security Fixes: jq is ...
OESA-2026-2424 jq security update
jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want. Security Fixes: jq is ...
CVE-2026-47307
NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module containing deeply nested instructions. This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9...
CVE-2026-45740
protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON and Namespace.addJSON. A crafted JSON descriptor with deeply nested namespace definitions...
SUSE CVE-2026-40612
jq is a command-line JSON processor. In 1.8.1 and earlier, jvcontains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure built programmatically with reduce, since the JSON parser caps at depth 10000, the C stack is exhausted...
CVE-2026-42355
CVE-2026-42355 affects NanaZip, an open‑source file archive. The issue is an uncontrolled recursion in the Electron Archive (ASAR) parser when opening a crafted .asar with deeply nested JSON in the header. The recursion occurs in both nlohmann::json::parse and the handler’s GetAllPaths, consuming...