CVE-2024-14031

CVE-2024-14031 affects Sereal::Encoder versions 4.000–4.009_002 for Perl, which embeds the Zstandard (zstd) library vulnerable to CVE-2019-11922. The vulnerability is a race-condition in Zstandard’s one-pass compression, allowing out-of-bounds writes when the output buffer is smaller than recomme...

CVE-2024-14031

Sereal::Encoder versions from 4.000 through 4.009002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard zstd library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prio...

PT-2026-29223

Name of the Vulnerable Software and Affected Versions Sereal::Encoder versions 4.000 through 4.009 002 Description Sereal::Encoder for Perl includes a vulnerable version of the Zstandard zstd library. A race condition exists in the one-pass compression functions of Zstandard versions prior to...

Sereal::Encoder 安全漏洞

Sereal::Encoder is a coding module developed by YVES’s individual developers, designed to convert data into high-performance binary serialization formats. Versions 4.000 to 4.009002 of Sereal::Encoder contain security vulnerabilities. These vulnerabilities stem from a buffer out-of-bounds write...

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +8 more potentially affected by CVE-2026-33940 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =1.31.0, =1.37.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33940 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15803087...

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +8 more potentially affected by CVE-2026-33939 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =1.31.0, =1.37.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33939 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15807043...

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +8 more potentially affected by CVE-2026-33938 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =1.31.0, =1.37.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33938 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15803083...

GHSA-F359-R3PV-2PHF AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints

Summary isSSRFSafeURL validates URLs against private/reserved IP ranges before fetching, but urlgetcontents follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal target. Root Cause Check-time:...

CVE-2026-29078

Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx-bufferused -= size with a stale size = 3 causes an integer underflow that wraps to SIZEMAX. Afterwards, memcpy is called with ...

CVE-2026-33482

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...

CVE-2019-25650 River Past CamDo 3.7.6 Structured Exception Handler Buffer Overflow

River Past CamDo 3.7.6 contains a structured exception handler SEH buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the Lameenc.dll name field. Attackers can craft a payload with a 280-byte buffer, NSEH jump instruction, and SE...

River Past CamDo 缓冲区错误漏洞

River Past CamDo is a screen recording and camera capture tool developed by River Past Corporation. Version 3.7.6 of River Past CamDo contains a buffer error vulnerability. This vulnerability stems from a buffer overflow in the structured exception handler, which may allow local attackers to...

PT-2026-28536

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo, an open source video platform, is susceptible to a Server-Side Request Forgery SSRF bypass. The isSSRFSafeURL function validates URLs against private IP ranges before fetching, but t...

GHSA-8WF4-C4X3-H952 AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL

Summary The downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing an invalid resolution parameter, an attacker triggers an early die via...

AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL

Summary The downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing an invalid resolution parameter, an attacker triggers an early die via...

MGASA-2026-0067 Updated graphicsmagick packages fix security vulnerabilities

GraphicsMagick has a stack write buffer overflow in MNG encoder. CVE-2026-28690 GraphicsMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder. CVE-2026-30883...

Updated graphicsmagick packages fix security vulnerabilities

GraphicsMagick has a stack write buffer overflow in MNG encoder. CVE-2026-28690 GraphicsMagick has a Heap Overflow when writing extremely large image profile in the PNG encoder. CVE-2026-30883...

CVE-2026-33717

Summary: CVE-2026-33717 affects WWBN AVideo (versions up to 26.0). The vulnerability in the downloadVideoFromDownloadURL() function stores remote content in a web-accessible temp directory using the original URL filename/extension (including .php). By passing an invalid resolution parameter, an a...

CVE-2026-33717 AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloadURL with Resolution Validation Abort

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing...

CVE-2026-33482

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...