Format String Injection

Ruby JSON is vulnerable to Format String Injection. The vulnerability is due to a format string injection vulnerability, where the allowduplicatekey: false parsing option is used to parse user supplied documents and can lead to denial of service attacks or information disclosure...

AVideo: IDOR - Any Admin Can Set Another User's Channel Password Via SetPassword.json.php

Summary The "setPassword.json.php" endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero befor...

Denial Of Service (DoS)

Micronaut Framework is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of descending array index order in JsonBeanPropertyBinder::expandArrayToThreshold, where crafted form-urlencoded parameters can trigger a non-terminating loop, leading to CPU exhaustion and...

Linux Distros Unpatched Vulnerability : CVE-2026-33210

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can...

Linux Distros Unpatched Vulnerability : CVE-2026-32710

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a...

Linux Distros Unpatched Vulnerability : CVE-2026-33228

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direc...

CVE-2026-33238 AVideo has a Path Traversal in listFiles.json.php that Enables Server Filesystem Enumeration

WWBN AVideo is an open source video platform. Prior to version 26.0, the listFiles.json.php endpoint accepts a path POST parameter and passes it directly to glob without restricting the path to an allowed base directory. An authenticated uploader can traverse the entire server filesystem by...

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

DEBIAN-CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

UBUNTU-CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210 Ruby JSON has a format string injection vulnerability

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210

The connected advisory (GHSA-3M6G-2423-7CP3) describes a format string injection vulnerability in Ruby JSON that can cause denial of service or information disclosure when parsing documents with allow_duplicate_key: false. This option is not the default, so impact depends on opting in. The issue ...

CVE-2026-33210 Ruby JSON has a format string injection vulnerability

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210 Ruby JSON has a format string injection vulnerability

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allowduplicatekey: false parsing option is used to parse user...

EUVD-2026-13871

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt on attacker-controlled JWEs using PBES2 algorithms are...

CVE-2026-33203

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on...

CVE-2026-33203

CVE-2026-33203 affects SiYuan prior to 3.6.2. The SiYuan kernel WebSocket server accepts unauthenticated connections when an explicit auth keepalive parameter is present. After connection, messages are parsed with unchecked type assertions on attacker-controlled JSON, allowing a remote attacker t...