Lucene search
+L

495 matches found

osv
osv
added 2026/03/29 3:30 p.m.4 views

GHSA-C447-W54G-F55J Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jq3f-vjww-8rq7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the...

8.7CVSS5.8AI score0.00531EPSS
Exploits0References4
euvd
euvd
added 2026/03/29 3:30 p.m.4 views

EUVD-2026-17020

OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket...

8.7CVSS5.9AI score0.00531EPSS
Exploits0References4
cve
cve
added 2026/03/29 12:44 p.m.22 views

CVE-2026-32980

OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies prior to validating the x-telegram-bot-api-secret-token header, enabling unauthenticated attackers to exhaust server resources. Attack vectors involve POST requests to the webhook endpoint that can trigger memory consumpt...

8.7CVSS5.9AI score0.00531EPSS
Exploits0References3Affected Software1
redhatcve
redhatcve
added 2026/03/26 3:11 p.m.5 views

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

7.5CVSS5.8AI score0.0037EPSS
Exploits1References1
github
github
added 2026/03/25 5:33 p.m.7 views

@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Impact JSON.parseenv.adapterConfig is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled...

5.8AI score
Exploits0References2Affected Software1
susecve
susecve
added 2026/03/25 12:26 a.m.5 views

SUSE CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags - a field tagged json:"method" would also match "Method", "METHOD", etc...

7CVSS5.8AI score0.00255EPSS
Exploits0References3
osv
osv
added 2026/03/24 7:29 p.m.14 views

GHSA-3RMJ-9M5H-8FPV Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Summary Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves 15x memory amplification wire bytes to...

5.9CVSS5.9AI score0.0037EPSS
Exploits1References5
github
github
added 2026/03/24 7:29 p.m.11 views

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Summary Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves 15x memory amplification wire bytes to...

7.5CVSS5.9AI score0.0037EPSS
Exploits1References5Affected Software1
nvd
nvd
added 2026/03/24 7:16 p.m.5 views

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

7.5CVSS0.0037EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/03/24 12:0 a.m.7 views

PT-2026-27479

Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.0 Description Astro's Server Islands POST handler does not enforce a size limit when buffering and parsing JSON request bodies. The JSON.parse function allocates a V8 heap object for each element in the input,...

5.9CVSS5.9AI score0.0037EPSS
Exploits1References8
osv
osv
added 2026/03/23 6:14 p.m.6 views

GO-2026-4770 Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk

Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk...

5.8AI score
Exploits0References3
cve
cve
added 2026/03/20 10:32 p.m.30 views

CVE-2026-33203

CVE-2026-33203 affects SiYuan prior to 3.6.2. The SiYuan kernel WebSocket server accepts unauthenticated connections when an explicit auth keepalive parameter is present. After connection, messages are parsed with unchecked type assertions on attacker-controlled JSON, allowing a remote attacker t...

7.5CVSS5.9AI score0.00497EPSS
Exploits1References1Affected Software1
cve
cve
added 2026/03/20 1:31 a.m.43 views

CVE-2026-32874

UltraJSON (ujson) for Python, C-based fast JSON encoder/decoder, is affected in versions 5.4.0–5.11.0 by a memory-leak in parsing large integers that fall outside [-2^63, 2^64-1]. The leak copies the integer’s string form plus an extra NULL byte and occurs regardless of whether the integer parses...

7.5CVSS5.7AI score0.00479EPSS
Exploits0References6Affected Software1
cvelist
cvelist
added 2026/03/20 1:31 a.m.23 views

CVE-2026-32874 UltraJSON has a Memory Leak parsing large integers allows DoS

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large outside of the range -2^63, 2^64 - 1 integers. The leaked memory is a copy of the string form of the integer plus a...

7.5CVSS0.00479EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/03/20 1:31 a.m.4 views

CVE-2026-32874 UltraJSON has a Memory Leak parsing large integers allows DoS

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large outside of the range -2^63, 2^64 - 1 integers. The leaked memory is a copy of the string form of the integer plus a...

7.5CVSS5.8AI score0.00479EPSS
Exploits0References3
nessus
nessus
added 2026/03/20 12:0 a.m.7 views

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jq (SUSE-SU-2026:0931-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0931-1 advisory. This update for jq fixes the following issue: - CVE-2025-9403: test suite assertion failure in JSON parsi...

5.5CVSS5.9AI score0.00194EPSS
Exploits1References4
github
github
added 2026/03/19 5:43 p.m.30 views

Prototype Pollution via parse() in NodeJS flatted

--- Summary The parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\proto\" returns Array.prototype via the...

9.8CVSS6AI score0.00808EPSS
Exploits1References5Affected Software1
osv
osv
added 2026/03/19 12:44 p.m.7 views

GHSA-Q382-VC8Q-7JHJ Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk

The Go SDK recently transitioned to the segmentio/encoding library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with null Unicode characters appended at the end...

8.2CVSS5.8AI score
Exploits0References4
snyk
snyk
added 2026/03/19 12:44 p.m.4 views

Interpretation Conflict

Overview Affected versions of this package are vulnerable to Interpretation Conflict in the JSON parsing process. An attacker can manipulate message fields by appending null Unicode characters to keys, causing key collisions and overriding intended values by submitting specially crafted JSON...

8.2CVSS5.8AI score
Exploits0References3
github
github
added 2026/03/19 12:44 p.m.34 views

Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk

The Go SDK recently transitioned to the segmentio/encoding library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with null Unicode characters appended at the end...

5.8AI score
Exploits0References4Affected Software1
Rows per page
Query Builder