PT-2026-39719

Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier Description jq accepts embedded NUL bytes in import paths at the jq-language level, but subsequently resolves those paths using C string operations during module and data-file lookup. This results in a mismatch...

PT-2026-39710

Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier Description Top-level programs loaded from a file using the '-f' flag are truncated at the first embedded NUL byte. A specially crafted filter file containing a NUL byte followed by an arbitrary suffix will compil...

jq 安全漏洞

jq is a lightweight and flexible command-line JSON processor developed by jqlang. Jq versions 1.8.1 and earlier have security vulnerabilities; these vulnerabilities stem from unbounded recursion in jvobjectmergerecursive. This recursion allows malicious programs to cause program crashes with...

jq 输入验证错误漏洞

jq is a lightweight and flexible command-line JSON processor developed by jqlang. Jq versions 1.8.1 and earlier contain a vulnerability related to input validation errors. This vulnerability stems from the use of signed integers for the stack allocation size in the jq bytecode virtual machine. Wh...

Linux Distros Unpatched Vulnerability : CVE-2026-41257

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyo...

Linux Distros Unpatched Vulnerability : CVE-2026-43894

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INTMAX-1 2147483646 digits, the D2U macro...

📄 S2M Forgot Password Endpoint Token Exposure

This Python script demonstrates a security assessment targeting a forgot-password API endpoint in a digital payment platform operated by S2M, a company specializing in secure electronic transactions and payment processing solutions. The script sends a crafted POST request using a known email...

jq 安全漏洞

jq is a lightweight and flexible command-line JSON processor developed by jqlang. Jq versions 1.8.2rc1 and earlier have security vulnerabilities. These vulnerabilities stem from the fact that the standard module loader does not perform cyclic checks when modules are included within each other,...

PT-2026-39709

Name of the Vulnerable Software and Affected Versions jq versions prior to 1.8.2 Description The jv contains function recurses into nested arrays and objects without a depth limit. When processing a sufficiently nested input structure, this can lead to C stack exhaustion, causing the application ...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to version 29 contain security vulnerabilities. These vulnerabilities stem from the objects/sendEmail.json.php file, which allows unverified attackers to send arbitrary emails...

SOCFortress CoPilot 授权问题漏洞

SOCFortress CoPilot is an open-source unified security operations platform developed by SOCFortress. Versions of SOCFortress CoPilot prior to 0.1.57 contained authorization-related vulnerabilities. These vulnerabilities stemmed from a hardcoded JWT signing key being used as a backup value, and th...

Unity Linux 20.1060e / 20.1070e Security Update: json-lib (UTSA-2026-017417)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017417 advisory. Apache Log4j2 2.0-beta9 through 2.15.0 excluding security releases 2.12.2, 2.12.3, and 2.3.1 JNDI features used in configuration, log messages, and parameters do not...

PT-2026-39506

Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com baforms component with malicious JSON payloads in the 'id' field...

Balbooa Joomla Forms Builder SQL注入漏洞

Balbooa Joomla Forms Builder is a website form building plugin provided by Balbooa Corporation, which offers visual form design and data collection features. Version 2.0.6 of Balbooa Joomla Forms Builder contains an SQL injection vulnerability. This vulnerability stems from an unauthenticated SQL...

openSUSE 16 Security Update : log4cxx (openSUSE-SU-2026:20705-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20705-1 advisory. Changes in log4cxx: - update to 1.7.0 bsc1261994, CVE-2026-40023: Non-ascii characters incorrectly encoded in JSON output 615 XML output could contain...

EUVD-2026-28934

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

GHSA-HM8Q-7F3Q-5F36 Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Summary Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches...

apko 代码问题漏洞

Apko is an open-source OCI image builder based on APK. Versions of Apko prior to 1.2.7 had code vulnerabilities. These vulnerabilities stemmed from DiscoverKeys’ unconditional assertion of JWKS key types as rsa.PublicKey without checking the key type. This could lead to panic and crashes due to...

PT-2026-39329

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.18 Description Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This occurs because the...

Unity Linux 20.1050e / 20.1070e Security Update: python-PyMySQL (UTSA-2026-017341)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017341 advisory. PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escapedict. Tenable has extracted the preceding...