GHSA-P6X5-P4XF-CC4R Remote Code Execution (RCE) via String Literal Injection into math-codegen

Impact String literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flo...

CVE-2026-25918

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

UBUNTU-CVE-2026-25918

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

CVE-2026-25918 unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

Linux Distros Unpatched Vulnerability : CVE-2016-10222

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service...

CVE-2024-49365

The CVE-2024-49365 issue affects tiny-secp256k1 prior to 1.1.7, where in environments using the Node buffer package, Buffer.isBuffer can be bypassed and a crafted JSON-stringifiable object could be accepted by verify(), potentially causing false-positive True values. The root cause is a vulnerabi...

UBUNTU-CVE-2023-49552

An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjsopjsonstringify function in the msj.c file...

Cesanta MJS 安全漏洞

Cesanta MJS is an embedded JavaScript engine for C/C++ from Cesanta Ireland. Designed for microcontrollers with limited resources. The main design goals were a small footprint and simple C/C++ interoperability. Cesanta MJS has a denial of service vulnerability that can be exploited by an attacker...

PT-2024-13745 · Cesanta · Mjs

Name of the Vulnerable Software and Affected Versions: Cesanta mjs version 2.20.0 Description: An Out of Bounds Write in Cesanta mjs allows a remote attacker to cause a denial of service via the mjs op json stringify function in the msj.c file. Recommendations: For Cesanta mjs version 2.20.0,...

SUSE CVE-2011-0055

Use-after-free vulnerability in the JSON.stringify method in js3250.dll in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via unspecified vectors related to the jsHasOwnProperty function and garbage...

SUSE CVE-2016-10222

runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service segmentation violation and application crash via crafted JavaScript code that triggers a "type confusion" in the JSON.stringify function...

CVE-2021-46554

Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjsjsonstringify at src/mjsjson.c. This vulnerability can lead to a Denial of Service DoS...

Cesanta MJS 安全漏洞

Cesanta MJS is an embedded JavaScript engine for C/C++ from Cesanta Ireland. It is designed for microcontrollers with limited resources. The main design goals are a small footprint and simple C/C++ interoperability. Cesanta MJS has a security vulnerability that stems from Cesanta MJS v2.20.0 was...

CVE-2020-24348

njs through 0.4.3, used in NGINX, has an out-of-bounds read in njsjsonstringifyiterator in njsjson.c...

Node.js third-party modules: Server Side JavaScript Code Injection

I would like to report a Service Side JavaScript Code Injection in fastify. It allows an attacker that can control a single property name in the serialization schema to achieve Remote Command Execution in the context of the web server. Module module name: fastify version: 2.2.0 npm page:...

CVE-2016-10222

runtime/JSONObject.cpp in JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 18, allows remote attackers to cause a denial of service segmentation violation and application crash via crafted JavaScript code that triggers a "type confusion" in the JSON.stringify function...

Fedora Update for nodejs-json-stringify-safe FEDORA-2013-11780

The remote host is missing an update for the SPDX-FileCopyrightText: 2013 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora Update for nodejs-json-stringify-safe FEDORA-2013-11780

Check for the Version of nodejs-json-stringify-safe OpenVAS Vulnerability Test Fedora Update for nodejs-json-stringify-safe FEDORA-2013-11780 Authors: System Generated Check Copyright: Copyright c 2013 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can...

Mozilla use-after-free error in JSON.stringify (MFSA2011-03)

Use-after-free vulnerability in the JSON.stringify method in js3250.dll in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, and SeaMonkey before 2.0.12, might allow remote attackers to execute arbitrary code via unspecified vectors related to the jsHasOwnProperty function and garbage...