Astra Linux – Vulnerability in snakeyaml

The package org.yaml:snakeyaml in versions 0 and earlier than 1.31 is vulnerable to Denial of Service DoS attacks due to a missing nested depth limitation in collections...

Uncontrolled Recursion

Axios is vulnerable to uncontrolled recursion. The vulnerability is due to the toFormData function recursively processing deeply nested objects without a depth limit, which allows an attacker to supply specially crafted input that triggers a stack overflow and crashes the Node.js process...

CLSA-2026-1777446517 squid: Fix of 3 CVEs

CVE-2019-12521: fix ESI parser off-by-one heap overflow by enforcing a stack-depth limit and throwing on overflow - CVE-2019-12524 already addressed by the CVE-2019-12520 backport same fix upstream; see Squid advisory SQUID-2019:4...

squid: Fix of 3 CVEs

CVE-2019-12521: fix ESI parser off-by-one heap overflow by enforcing a stack-depth limit and throwing on overflow - CVE-2019-12524 already addressed by the CVE-2019-12520 backport same fix upstream; see Squid advisory SQUID-2019:4...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-27601)

Summary IBM Security SOAR uses an older version of the Underscore.js component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.9.2 Vulnerability Details CVEID:CVE-2026-27601 DESCRIPTION:...

CVE-2026-40324

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser Utf8GraphQLParser has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types...

CVE-2026-40324 Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser Utf8GraphQLParser has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types...

PT-2026-33381

Name of the Vulnerable Software and Affected Versions Hot Chocolate versions prior to 12.22.7 Hot Chocolate versions prior to 13.9.16 Hot Chocolate versions prior to 14.3.1 Hot Chocolate versions prior to 15.1.14 Description The recursive descent parser Utf8GraphQLParser lacks a recursion depth...

kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution

CVSS 6.5 Medium — The GraphQL API served by kubernetes-graphql-gateway is vulnerable to Denial-of-Service DoS attacks due to a complete absence of query resource controls depth limiting, complexity analysis, response size capping, and rate limiting. An authenticated attacker can craft queries tha...

GHSA-5JG4-P4QW-CGFR @stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags

Summary @stablelib/cbor decodes nested CBOR structures recursively and does not enforce a maximum nesting depth. A sufficiently deep attacker-controlled CBOR payload can therefore crash decoding with RangeError: Maximum call stack size exceeded. Details The decoder processes arrays, maps, and...

CVE-2026-23405

CVE-2026-23405 concerns the Linux kernel AppArmor feature where policy namespaces could be nested arbitrarily deep, potentially exhausting system resources. The vulnerability arises because policy namespaces were not bounded by the user namespace depth, and are not strictly tied to user namespace...

CVE-2026-32944

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...

GHSA-P6Q4-FGR8-VX4P Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix

Summary StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix GHSA-wgh7-7m3c-fx25 Details The recent fix for GHSA-wgh7-7m3c-fx25 uncontrolled recursion in parser added ExpressionDepthLimit defaulting to 250. However, deeply nested array initializers ... recurse...

Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix

Summary StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix GHSA-wgh7-7m3c-fx25 Details The recent fix for GHSA-wgh7-7m3c-fx25 uncontrolled recursion in parser added ExpressionDepthLimit defaulting to 250. However, deeply nested array initializers ... recurse...

GHSA-3C37-WWVX-H642 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads

Summary - The cbor2 library is vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. - This vulnerability affects both the pure Python implementation and the C extension cbor2. The C extension correctly uses Python's C-API for...

GHSA-6QH5-M6G3-XHQ6 Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

BIT-PARSE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server an...

AutoMapper 安全漏洞

AutoMapper is an object mapping library open source by Lucky Penny Software LLC. Versions of AutoMapper prior to 15.1.1 and 16.1.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcing a default maximum depth limit when mapping deeply nested object graphs,...

GHSA-WGH7-7M3C-FX25 Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service)

Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a StackOverflowException. I...

Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service)

Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a StackOverflowException. I...