Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in which the non-blocking async JSON parser can be made to bypass the maxNumberLength constraint default: 1000 characters defined in StreamReadConstraints. An attacker can cause...

IBM WebSphere Application Server 8.5.5.3 < 8.5.5.30 / 9.x < 9.0.5.27 / Liberty 21.0.0.3 < 26.0.0.3 DoS (7261794)

The version of IBM WebSphere Application Server running on the remote host is affected by a DoS vulnerability as referenced in the 7261794 advisory. - In jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite uses "org.apache.cxfcxf-core 3.6.7, io.nettynetty-codec-http 4.1.124.Final , github.com/golang-jwt/jwt/v4 v4.5.0" which are vulnerable to "CVE-2025-48913, CVE-2025-58056, CVE-2024-51744". This bulletin contains information regarding the vulnerabilities and how...

📄 WordPress RestroPress Online Food Ordering System 3.1.9.2 Disclosure Scanner

WordPress RestroPress Online Food Ordering System plugin version 3.1.9.2 user metadata exposure scanner. ============================================================================================================================================= | Title : WordPress RestroPress Online Food Orderi...

SUSE SLED15 / SLES15 Security Update : protobuf (SUSE-SU-2026:0618-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0618-1 advisory. i - CVE-2026-0994: Fixed google.protobuf.Any recursion depth bypass in Python jsonformat.ParseDict bsc1257173. Tenable...

CVE-2026-28275

CVE-2026-28275 affects the self-hosted project management platform Initiative . Versions prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password, allowing older tokens to remain valid until expiration and continue to access protected API endpoints...

MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. Additionally, Go's standard...

CVE-2026-27896

A flaw was found in the Go MCP SDK. This issue occurs due to an improper handling of case sensitivity during JSON-RPC message parsing, specifically in the matching of JSON keys to struct field tags. This behavior violates the JSON-RPC 2.0 specification, which explicitly requires case-sensitive...

Security update for docker-stable

This update for docker-stable fixes the following issues: CVE-2025-30204: Fixed a vulnerability in jwt-go which allowed excessive memory allocation during header parsing. bsc1240513 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdat...

golang: html/template: errors returned from MarshalJSON methods may break template escaping

A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into...

Denial Of Service (DoS)

org.bitbucket.bc:jose4j is vulnerable to a Denial-of-Service DoS. The vulnerability is due to improper handling of highly compressed JSON Web Encryption JWE tokens, which allows an attacker to supply a malicious token with an excessive compression ratio that triggers significant memory allocation...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the Google Calendar integration configuration response in the app config endpoint. An attacker can retrieve the service account’s API key JSON including private key material by...

Use of a Broken or Risky Cryptographic Algorithm

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the Google authentication. An attacker can gain unauthorized access to...

CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc...

CVE-2026-27896 MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc...

CVE-2026-27896

The CVE-2026-27896 concerns the Go MCP SDK, affected in versions prior to 1.3.1, where Go’s json.Unmarshal (case-insensitive field matching) could accept non-standard JSON-RPC/MCP field casing. This violates JSON-RPC 2.0’s exact field names and could allow messages to bypass intermediary inspecti...

CVE-2026-27896 MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc...

CVE-2026-27804

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing...

PT-2026-22223

Name of the Vulnerable Software and Affected Versions Initiative versions prior to 0.32.4 Description Initiative, a self-hosted project management platform, does not invalidate previously issued JWT access tokens after a user changes their password. This allows older tokens to remain valid until...

WireGuard Portal v2 安全漏洞

WireGuard Portal v2 is a web-based configuration portal developed by h44z as an individual project. Versions of WireGuard Portal v2 prior to 2.1.3 contained security vulnerabilities. These vulnerabilities stemmed from the server’s inability to protect the IsAdmin field when parsing JSON request...