Alibaba Cloud Linux 3 : 0115: jq (ALINUX3-SA-2026:0115)

The remote Alibaba Cloud Linux 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0115 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-39979: A flaw was found in jq, a...

Atlassian Jira Service Management Data Center and Server 11.2.0 < 11.3.5 (JSDSERVER-16576)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16576 advisory. - jackson-core contains core low-level incremental streaming parser and generator abstractions used by...

CLSA-2026-1778661840 skopeo: Fix of CVE-2024-24786

CVE-2024-24786: fix infinite loop in vendored google.golang.org/protobuf protojson.Unmarshal on malformed JSON by handling EOF in skipJSONValue and rejecting ObjectClose after a Name token in Decoder.Read...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Exim vulnerabilities (USN-8228-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8228-1 advisory. It was discovered that Exim incorrectly handled parsing malformed JSON in message headers. A remote attacker could possib...

Security Bulletin: Security vulnerability has been detected in IBM Security Verify Governance Identity Manager Adapters

Summary IBM Security Verify Governance Identity Manager Adapters use jackson-core-2.12.0.jar, which is affected by vulnerability WS-2026-0003 Vulnerability Details ID:WS-2026-0003 DESCRIPTION: The non-blocking async JSON parser in jackson-core bypasses the maxNumberLength constraint default: 1000...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read due to improper bounds checking in the JSON parsing process. An attacker can cause the application to read memory outside the intended buffer by providing specially crafted JSON input. Remediation Upgrade thrift to...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: jq (UTSA-2026-014279)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014279 advisory. jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass...

PT-2026-34238

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fio json parse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : RapidJSON vulnerability (USN-8189-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8189-1 advisory. It was discovered that RapidJSON did not properly protect against integer overflows in certain instances when...

CVE-2026-33948

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

EUVD-2026-22158

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions

A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by...

PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint

Summary The AGUI endpoint POST /agui has no authentication and hardcodes Access-Control-Allow-Origin: on all responses. Combined with Starlette/FastAPI's Content-Type-agnostic JSON parsing, any website a victim visits can silently trigger arbitrary agent execution against a locally-running AGUI...

Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated...

GHSA-8F9R-GR6R-X63Q Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated...

CVE-2026-35640

OpenClaw before 2026.3.25 parses JSON webhook request bodies before validating signatures, enabling unauthenticated attackers to trigger denial of service by forcing resource-intensive JSON parsing. Affected package: openclaw (versions

CVE-2026-35640 OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through...

PT-2026-31775

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw versions prior to 2026.3.25 are susceptible to a denial of service. The software parses JSON request bodies before validating webhook signatures, which allows unauthenticated attackers ...

BIT-NODE-2026-21717

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...

GHSA-CCGF-5RWJ-J3HV TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`

Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...