47 matches found
SUSE CVE-2026-9334
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...
CVE-2026-9334
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...
CVE-2026-9334
Cpanel::JSON::XS (Perl) is affected by a type-confusion issue in decode_hv() for versions before 4.41 when dupkeys_as_arrayref is enabled. The code tests duplicate keys by evaluating SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV, which dereferences a value via SvRV(old_val...
CVE-2026-9334 Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...
CVE-2026-9334 Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...
EUVD-2026-34060
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...
CVE-2026-9334
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...
PT-2026-45891
Name of the Vulnerable Software and Affected Versions Cpanel::JSON::XS versions prior to 4.41 Description Type confusion occurs when dupkeys as arrayref is enabled, allowing duplicate object keys to cause a crash. The decode hv function collapses duplicate keys into an array reference; however, i...
ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection
A flaw was found in Ruby JSON. This vulnerability, a format string injection, allows a remote attacker to cause a denial of service DoS or disclose sensitive information. The flaw occurs when processing specially crafted user-supplied documents with the allowduplicatekey: false parsing option...
CLSA-2026-1778943258 Fix CVE(s): CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568
SECURITY UPDATE: SOAP use-after-free with SOAPPERSISTENCESESSION - debian/patches/CVE-2026-7261.patch: skip zvalptrdtor on the persisted soapobj after header parsing failure when persistence is SOAPPERSISTENCESESSION - CVE-2026-7261 SECURITY UPDATE: SOAP use-after-free via Apache Map with duplica...
PT-2026-40294
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys,...
PT-2026-40304
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys,...
CVE-2026-6722
CVE-2026-6722 describes a use-after-free in PHP’s SOAP extension object deduplication. In affected PHP versions (8.2.x before 8.2.31, 8.3.x before 8.3.31, 8.4.x before 8.4.21, and 8.5.x before 8.5.6), the global map stores object pointers without proper reference counting. If an apache:Map node c...
CVE-2026-6722
In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys,...
Astra Linux – Vulnerability in Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: btrfs: fixed a crash that occurred during racing fsync and size-extending writes to prealloc. We have observed crashes occurring due to duplicate keys in btrfssetitemkeysafe: BTRFS critical device vdb: slot 4 key 450 108 8192 new...
GHSA-Q382-VC8Q-7JHJ Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk
The Go SDK recently transitioned to the segmentio/encoding library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with null Unicode characters appended at the end...
Malicious code in transform-es2015-duplicate-keys (npm)
The package 'transform-es2015-duplicate-keys' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...
MAL-2026-1561 Malicious code in transform-es2015-duplicate-keys (npm)
The package 'transform-es2015-duplicate-keys' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...
Linux kernel 安全漏洞
Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from linking duplicate keys to the assocarray of a key ring, which could cause the kernel to crash...
EUVD-2008-1531
Malware in sbrugna...