CVE-2026-42999

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforcecall unconditionally merges the raw JSON request body into the policy enforcement dictionary via policydict.updatejsoninput.copy, overwriting trusted target data that was previously set from...

CVE-2026-42999

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforcecall unconditionally merges the raw JSON request body into the policy enforcement dictionary via policydict.updatejsoninput.copy, overwriting trusted target data that was previously set from...

CVE-2026-42999

OpenStack Keystone prior to 29.0.2 contains CVE-2026-42999, where the RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary (policy_dict.update(json_input.copy())). Since flask.request.get_json is called with force=True, this ...

CVE-2026-42999

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforcecall unconditionally merges the raw JSON request body into the policy enforcement dictionary via policydict.updatejsoninput.copy, overwriting trusted target data that was previously set from...

GHSA-QJX8-664M-686J JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

Summary js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property, so the for…in enumerates it and the targetkey = sourcekey write triggers the...

CVE-2026-47091

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcriptpath value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a...

EUVD-2026-30521

The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON field values and unsafe client-side HTML construction in the updatepreview JavaScript function. Th...

PT-2026-41276

The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON field values and unsafe client-side HTML construction in the update preview JavaScript function...

PT-2026-40728

Name of the Vulnerable Software and Affected Versions uniget versions prior to 0.27.1 Description A command injection issue exists in uniget, a universal installer and updater for container tools. The problem occurs because the check field from JSON metadata files is loaded and executed using...

CLSA-2026-1778142360 jq: Fix of 2 CVEs

CVE-2026-33947: limit path depth in jvsetpath, jvgetpath, and jvdelpaths to prevent stack overflow from deep path arrays - CVE-2026-33948: remove strlen-based length calculation that truncated JSON input at embedded NUL bytes, preventing parser-differential attacks...

CVE-2026-37525

AGL app-framework-binder afb-daemon through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The onsupervisioncall function in src/afb-supervision.c explicitly nullifies the request credentials by calling afbcontextchangecred&xreq-context, NULL before...

CVE-2026-37525

The CVE-2026-37525 entry concerns the AGL app-framework-binder (afb-daemon) up to v19.90.0. The vulnerability resides in the supervision Do command: the on_supervision_call path explicitly_nullifies credentials via afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-co...

PT-2026-36503

Name of the Vulnerable Software and Affected Versions AGL app-framework-binder afb-daemon versions prior to 19.90.1 Description A privilege escalation issue exists in the supervision Do command. The on supervision call function in src/afb-supervision.c nullifies request credentials by calling afb...

Amazon Linux 2023 : rclone (ALAS2023-2026-1607)

"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1607 advisory. crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir...

Infinite loop

Overview iodine is a fast HTTP / Websocket Server with built-in Pub/Sub support with or without Redis, static file support and many other features, optimized for Ruby MRI on Linux / BSD / macOS. Affected versions of this package are vulnerable to Infinite loop through the fiojsonparse function. A...

CVE-2026-40164

A flaw was found in jq, a command-line JSON processor. A remote attacker could exploit this vulnerability by providing a specially crafted JSON object. This object leverages a weakness in jq's hashing algorithm, which uses a hardcoded, publicly known seed. By crafting the JSON object to cause has...

CVE-2026-33948 jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

Linux Distros Unpatched Vulnerability : CVE-2026-1092

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have...

AVideo Unauthenticated SQL Injection Credential Dump

AVideo use auxiliary/gather/avideocatnamesqli msf auxiliaryavideocatnamesqli show actions ...actions... msf auxiliaryavideocatnamesqli set ACTION msf auxiliaryavideocatnamesqli show options ...show and set options... msf auxiliaryavideocatnamesqli run This module requires Metasploit:...

CVE-2026-1092

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads...