90 matches found
CVE-2026-46672
The CVE-2026-46672 entry describes a local CSV formula-injection flaw in the @actual-app/cli before version 26.6.0. The CLI uses a hand-rolled CSV serializer in packages/cli/src/output.ts with an escapeCsv that only neutralizes RFC 4180 delimiters (comma, quote, newline) and does not neutralize c...
GO-2026-5182 OpenBao: LDAPi ldaputil (wrong escape func) in github.com/openbao/openbao
OpenBao: LDAPi ldaputil wrong escape func in github.com/openbao/openbao...
DEBIAN-CVE-2026-40079
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escapecommand function. The escapecommand function at lib/rrd.php is a no-op: it returns $command unchanged. The command line built ...
UBUNTU-CVE-2026-40079
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escapecommand function. The escapecommand function at lib/rrd.php is a no-op: it returns $command unchanged. The command line built ...
GHSA-6MWX-4547-5VC9 OpenBao: LDAPi ldaputil (wrong escape func)
Description Component sdk/helper/ldaputil/client.go — the shared LDAP utility library used by both the LDAP authentication backend and OpenLDAP secrets engine to construct LDAP search filters and bind DNs. Root Cause The LDAP utility contains a function selection error that causes incorrect...
Astra Linux – Vulnerability in glib2.0
A heap-based buffer overflow issue was discovered in glib due to an incorrect calculation of the buffer size in the gescapeuristring function. If the string to be escaped contains a very large number of unacceptable characters which would require escaping, the calculation of the length of the...
PT-2026-51108
Name of the Vulnerable Software and Affected Versions OpenBao affected versions not specified Description An issue exists in the shared LDAP utility library sdk/helper/ldaputil/client.go used by the LDAP authentication backend and OpenLDAP secrets engine. The GetUserDN function incorrectly uses...
CVE-2026-44172
CVE-2026-44172 affects MariaDB (community fork of MySQL). In versions 3.3.18 and 3.4.8, non-validated user input escaped with mysql_real_escape_string() and sent via text protocol using the big5 character set could be exploited for SQL injection, despite the escaping attempt. The issue has been p...
CVE-2026-8295
An integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "stringbuilder::escapeandappend" when processing very large input strings on platforms with limited "sizet" width e.g., 32-bit builds. The overflow can cause insufficient buffer...
CVE-2026-42794 Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...
GHSA-G82G-M9VX-VHJG Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget
Summary The client-side escapeForHtml function in KimaiEscape.js, introduced in commit 89bfa82c 2959 to fix a JavaScript XSS vulnerability, only escapes , and & but does not escape " double quote or ' single quote. When user-controlled data profile alias is placed in an HTML attribute context...
EUVD-2026-11333
Shescape escape leaves bracket glob expansion active on Bash, BusyBox, and Dash...
CVE-2026-32094 Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
CVE-2026-32094 Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...
glib: Integer overflow in in g_escape_uri_string()
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the gescapeuristring function. If the string to escape contains a very large number of unacceptable characters which would need escaping, the calculation of the length of the escaped string...
Moderate: Red Hat Security Advisory: glib2 security update
An update for glib2 is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
CVE-2022-31180
Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the escape or escapeAll functions with the interpolation option set to true. The result is that if ...
EUVD-2015-7774
Malware in sbrugna...
EUVD-2017-0075
Malware in sbrugna...