Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by vulnerabilities in Nimbus JOSE+JWT

Summary Vulnerabilities have been identified in Nimbus JOSE+JWT, which is used in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the FindContainer function. An attacker can gain unauthorized interactive shell access to containers outside their permitted label scope by directly targeting container IDs through th...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the FindContainer function. An attacker can gain unauthorized interactive shell access to containers outside their permitted label scope by directly targeting container IDs through th...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : cJSON vulnerabilities (USN-7973-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7973-1 advisory. It was discovered that cJSON incorrectly handled parsing large numbers. An attacker could possibly use this issue to caus...

SKRoot security vulnerabilities

SKRoot is a Linux kernel root tool developed by abcz316. SKRoot has a security vulnerability, which stems from a null pointer dereferencing in the JSON parsing component cJSON.Cpp, potentially leading to crashes...

📄 MinIO RELEASE.2023-03-20T20-16-18Z Vulnerability Scanner

This PHP script is a command-line vulnerability scanner designed to detect CVE-2023-28432 in MinIO servers. The vulnerability allows unauthenticated access to sensitive environment variables through the /minio/bootstrap/v1/verify endpoint...

📄 AVideo 14.3.1 notify.ffmpeg.json.php Remote Code Execution

AVideo version 14.3.1 unauthenticated remote code execution exploit that leverages notify.ffmpeg.json.php. ============================================================================================================================================= | Title : AVideo 14.3.1 via notify.ffmpeg.json.p...

protobuf affected by a JSON recursion depth bypass

A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can...

GHSA-7GCM-G887-7QV7 protobuf affected by a JSON recursion depth bypass

A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can...

CVE-2026-0994

A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can...

CVE-2026-0994

A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can...

Security Bulletin: A vulnerability in the golang-jwt package affects IBM DB2 Big SQL on Cloud Pak for Data

Summary A vulnerability in the golang-jwt 4.5 package affects IBM DB2 Big SQL 7.8.0 on Cloud Pak for Data 5.1 and earlier Vulnerability Details CVEID:CVE-2025-30204 DESCRIPTION: golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2,...

CVE-2026-23958

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints...

USN-7973-1 cjson vulnerabilities

It was discovered that cJSON incorrectly handled parsing large numbers. An attacker could possibly use this issue to cause a denial of service. CVE-2023-26819 It was discovered that cJSON may perform out-of-bounds read when processing specially crafted JSON files using parseobject. An attacker...

USN-7973-1: cJSON vulnerabilities

It was discovered that cJSON incorrectly handled parsing large numbers. An attacker could possibly use this issue to cause a denial of service. CVE-2023-26819 It was discovered that cJSON may perform out-of-bounds read when processing specially crafted JSON files using parseobject. An attacker...

SUSE CVE-2025-67221

The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents...

Oracle Business Intelligence Enterprise Edition (12.2.1.4) (January 2026 CPU)

The version of Oracle Business Intelligence Enterprise Edition 12.2.1.4 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory. - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics component...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of JWT authentication middleware and RBAC authorization checks in the routing configuration for /api/v1/jobs endpoint. An attacker can view, update, and delete jobs by sending...

CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints /api/v1/jobs lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acce...

SmarterTools SmarterMail GUID File Upload Vulnerability

This module exploits a pre-auth remote code execution vulnerability in SmarterTools SmarterMail before version 100.0.9413. The endpoint /api/upload fails to sanitize the contextData POST parameter which can contain JSON data with a "guid" key that allows directory traversal. By leveraging this...