CVE-2025-0980 JSON RPC authentication bypass in Nokia SR Linux

Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials...

Linux Distros Unpatched Vulnerability : CVE-2025-67858

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impac...

BIT-HAPROXY-2025-11230 Denial of service vulnerability in HAProxy mjson library

Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests...

CVE-2025-67731

Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performanc...

CVE-2025-65296

NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.60027, Hub M3 4.3.60025, and Camera Hub G3 4.1.90027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs...

Aqara多款产品 安全漏洞

Aqara Camera Hub G3 and others are a smart surveillance camera from Aqara USA. A security vulnerability exists in various Aqara products that stems from the presence of a null pointer dereference in JSON processing, which could lead to a denial of service attack. The following products and versio...

CVE-2025-13528

The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handleexport' function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to export all feedback data in CSV or...

CVE-2025-12571 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON...

EUVD-2025-199596

Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json= option, the registr...

Revive Adserver Cross-Site Scripting Vulnerability

Revive Adserver is an open source ad serving system that allows advertisers, publishers, and networks to place ads on multiple platforms e.g., websites, apps, video players and supports ad effectiveness tracking, campaign management, and placement rule definition. Revive Adserver suffers from a...

haproxy: denial of service vulnerability in HAProxy mjson library

A flaw was found in haproxy. A stemming from an inefficient algorithmic complexity issue within its bundled mjson parsing library. This vulnerability is triggered when haproxy is configured to analyze JSON content, such as with the jsonquery or jwtpayloadquery function...

EUVD-2025-177079

Malicious code in prettier-json-publish-quito npm...

EUVD-2025-112383

Malicious code in iota-json-release-it-chai npm...

Malicious code in equal_roadrunner_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ad9e43de418f9273f8be1908158ec4dcc1939e22569ebfbb682184828304fec6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in vida-ruwet21-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06c591f7dc40735d4bc0f6b4c2be536b82c24d5b446e123e4235557a5ad6525c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in bambang-jus39-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2fae25e5a9258fd0c80bed5883f3bbba3f6747826bb7c46b3a85130827526458 The package bambang-jus39-riris was found to contain malicious code. This package appears to be part of the tea.xyz token reward campaign that floode...

GHSA-4766-X535-JW3R kgateway is missing xDS authorization

Summary The xDS interface in Kgateway versions 2.0.0 through 2.0.4 lacks authentication, allowing any client with unrestricted network access to the xDS port to retrieve potentially sensitive configuration data including certificate data, backend service information, routing rules, and cluster...

CVE-2025-50739

iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization...

CVE-2025-11447 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads...

GHSA-G46H-2RQ9-GW5M OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests

Summary JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor between serialized memory usage and deserialized memory usage similar to a zip bomb. While reproducing the issue, we could reach a factor of about 35. This...