CVE-2026-33043 AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

Malicious Package

Overview json-bundling is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-1978 Malicious code in json-specular (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21e4ef994911ed1494838bbc4c0f20fb4e194a7e264a9e7014759d9e23466ac9 The package json-specular was found to contain malicious code. Source: ghsa-malware 1bb4124a4b5522f2d7f36098f59a85a760b3e029a30baffafa922a34d2e7a21c...

Malicious code in json-bundling (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 61f19cbc17dc9182ab2266b7b505dedb74da2b797aa6661669f53efd1b86777a The package json-bundling was found to contain malicious code. Source: ghsa-malware debc855dc41e080d6afbfd087c2a01d8d9e5fac885734e59fb2e1adb870d6198...

MAL-2026-1977 Malicious code in json-bundling (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 61f19cbc17dc9182ab2266b7b505dedb74da2b797aa6661669f53efd1b86777a The package json-bundling was found to contain malicious code. Source: ghsa-malware debc855dc41e080d6afbfd087c2a01d8d9e5fac885734e59fb2e1adb870d6198...

MAL-2026-1968 Malicious code in safe-json-parsex (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c75827c4ff52be2152687faf186ee7a5668e9dd33bd30adfab490a5e2198c30 The package safe-json-parsex was found to contain malicious code. Source: ghsa-malware 4baa22d0d844650e1fcedcce52b117324903496e0d1399245674b48e4b3ae0...

Malicious code in safe-json-parsex (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c75827c4ff52be2152687faf186ee7a5668e9dd33bd30adfab490a5e2198c30 The package safe-json-parsex was found to contain malicious code. Source: ghsa-malware 4baa22d0d844650e1fcedcce52b117324903496e0d1399245674b48e4b3ae0...

Malicious Package

Overview safe-json-parsex is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview json-parse-genie is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-1952 Malicious code in json-parse-genie (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57744a9f0e3acf081bd2a75ca3684d01e3907f1eab7636e0873ed0ef1bf509ee The package json-parse-genie was found to contain malicious code. Source: ghsa-malware b2293df6ecd418ffd21c1112affa6571afe9a78ff596ce2dd1fac64a470c98...

Malicious code in json-parse-genie (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57744a9f0e3acf081bd2a75ca3684d01e3907f1eab7636e0873ed0ef1bf509ee The package json-parse-genie was found to contain malicious code. Source: ghsa-malware b2293df6ecd418ffd21c1112affa6571afe9a78ff596ce2dd1fac64a470c98...

CVE-2026-32880

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...

CVE-2026-32874 UltraJSON has a Memory Leak parsing large integers allows DoS

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large outside of the range -2^63, 2^64 - 1 integers. The leaked memory is a copy of the string form of the integer plus a...

CVE-2026-32874

UltraJSON (ujson) for Python, C-based fast JSON encoder/decoder, is affected in versions 5.4.0–5.11.0 by a memory-leak in parsing large integers that fall outside [-2^63, 2^64-1]. The leak copies the integer’s string form plus an extra NULL byte and occurs regardless of whether the integer parses...

CVE-2026-32874 UltraJSON has a Memory Leak parsing large integers allows DoS

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large outside of the range -2^63, 2^64 - 1 integers. The leaked memory is a copy of the string form of the integer plus a...

CVE-2026-32880

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...

EUVD-2026-13429

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...

CVE-2026-32880

ChurchCRM prior to 7.0.2 is vulnerable to Stored XSS via JSON handling in SystemSettings.php, where unsanitized JSON input for system settings can store a JavaScript payload that executes when an admin views settings. Root cause: unescaped JSON input in SystemSettings.php. Impact: cross-site scri...

SQL Injection

Overview kysely is a Type safe SQL query builder Affected versions of this package are vulnerable to SQL Injection via the visitJSONPathLeg function, which appends user-controlled values from .key and .at directly into single-quoted JSON path string literals without proper escaping. An attacker c...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...