CVE-2026-22028 Preact has JSON VNode Injection issue

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed t...

CVE-2026-22028

CVE-2026-22028 affects Preact where a regression in 10.26.5 weakened JSON serialization protection, allowing JSON payloads to be mis-parsed as valid VNodes and potentially leading to HTML injection and script execution if CSP or other mitigations are not in place. Affected versions include 10.26....

CVE-2026-22028

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed t...

MAL-2026-160 Malicious code in json-mappings (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e1cd8f06a356d4ca69b87f0f2e2dbd6245d42c08c515189c1681251d0cf3aa3 The package json-mappings was found to contain malicious code. Source: ghsa-malware f708e7c962688a26f87824a7ae962f667dc7238ba5b55aeb27c26e18c5f4b13f...

Malicious code in json-mappings (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e1cd8f06a356d4ca69b87f0f2e2dbd6245d42c08c515189c1681251d0cf3aa3 The package json-mappings was found to contain malicious code. Source: ghsa-malware f708e7c962688a26f87824a7ae962f667dc7238ba5b55aeb27c26e18c5f4b13f...

EUVD-2026-1648

Malicious code in json-mappings npm...

Malicious Package

Overview json-mappings is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2025-66786

OpenAirInterface CN5G AMF=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack...

UBUNTU-CVE-2026-21869

llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the ndiscard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fill...

Foomuuri 参数注入漏洞

Foomuuri is an open source firewall configuration generation and management tool from Foobar Oy. A parameter injection vulnerability exists in versions of Foomuuri prior to 0.31, which stems from improper JSON configuration neutralization and could lead to compromised firewall configuration...

CVE-2026-21869 llama.cpp has Out-of-bounds Write in llama-server

llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the ndiscard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fill...

CVE-2026-21869

CVE-2026-21869 affects llama.cpp prior to commit 55d4206c9, where the server’s completion endpoints parse the non‑negative constraint for the JSON input parameter n_discard without validation. A negative n_discard can cause a reversed range/offset in llama_memory_seq_rm/add, leading to out‑of‑bou...

CVE-2026-21869

llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the ndiscard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fill...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-202...

Preact has JSON VNode Injection issue

Impact Vulnerability Type: HTML Injection via JSON Type Confusion Affected Versions: Preact 10.26.5 through 10.28.1 Severity: Low to Medium see below Who is Impacted? Applications using affected Preact versions are vulnerable if they meet all of the following conditions: 1. Pass unmodified,...

GHSA-36HM-QXXP-PG3M Preact has JSON VNode Injection issue

Impact Vulnerability Type: HTML Injection via JSON Type Confusion Affected Versions: Preact 10.26.5 through 10.28.1 Severity: Low to Medium see below Who is Impacted? Applications using affected Preact versions are vulnerable if they meet all of the following conditions: 1. Pass unmodified,...

CVE-2025-66786

OpenAirInterface CN5G AMF=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack...

CVE-2025-66786

OpenAirInterface CN5G AMF=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack...

Path Traversal in Agent Flows via `uuid` (Arbitrary .json File Read/Delete)

Description : Summary I discovered a Path Traversal vulnerability in the AgentFlows component that allows reading and deleting arbitrary .json files on the server. The issue stems from the improper usage of path.join combined with normalizePath. The application resolves the file path using user...

CVE-2019-7725

includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...