GHSA-XP4F-G2CM-RHG7 PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket

Impact Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time. This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties...

Logging of Excessive Data

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Logging of Excessive Data through the processing of client data JWTs in LoginPacket. An attacker can cause...

Always-Incorrect Control Flow Implementation

Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...

CVE-2026-30624

Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the application when the...

Security update for mariadb

This update for mariadb fixes the following issues: Update to version 11.8.6. https://mariadb.com/docs/release-notes/community-server/11.8/11.8.6 https://mariadb.com/docs/release-notes/community-server/changelogs/11.8/11.8.6 Security issues fixed: CVE-2026-32710: heap-based buffer overflow via...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by non-blocking (async) JSON parser in jackson-core (WS-2026-0003)

Summary SPSS Collaboration and Deployment Services is affected by non-blocking async JSON parser in jackson-core WS-2026-0003. This has been addressed in the remediation section. Vulnerability Details ID:WS-2026-0003 DESCRIPTION: The non-blocking async JSON parser in jackson-core bypasses the...

Malicious code in moscova-plural-json-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a51fa685cb52dec458580533d514310ee1449c22a04bf82f6f1fc1e9e7b9db5 The package moscova-plural-json-parser was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2676 Malicious code in moscova-plural-json-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a51fa685cb52dec458580533d514310ee1449c22a04bf82f6f1fc1e9e7b9db5 The package moscova-plural-json-parser was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview moscova-plural-json-parser is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

PT-2026-33172

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 Description A stored cross-site scripting issue exists in SEO-related fields, specifically the SEO Title and Meta Description. User-controlled input is rendered without proper output encoding into HTML...

VulnCheck KEV: CVE-2025-12548

A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration SSH keys, tokens, etc. from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333...

PT-2026-33072

Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the application when the...

CVE-2026-30624

Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the application when the...

Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem

Summary fiojsonparse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning a parse error. Because iodine vendors the same parser code, the issue also affects iodine when it parses...

Infinite loop

Overview iodine is a fast HTTP / Websocket Server with built-in Pub/Sub support with or without Redis, static file support and many other features, optimized for Ruby MRI on Linux / BSD / macOS. Affected versions of this package are vulnerable to Infinite loop through the fiojsonparse function. A...

GHSA-2X79-GWQ3-VXXM Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem

Summary fiojsonparse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning a parse error. Because iodine vendors the same parser code, the issue also affects iodine when it parses...

CVE-2026-1314 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sendpostpagesjson function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticat...

SUSE CVE-2026-34481

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values NaN, Infinity, or -Infinity, which are prohibited by RFC 8259. Th...

SUSE CVE-2026-40164

jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed 0x432A9843 for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSO...

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal via the deleteDump parameter in the cloneServer.json.php process. An attacker can delete arbitrary files on the server by supplying path...