Text::LineFold 安全漏洞

Text::LineFold is a Perl text processing module developed by NEZUMI’s individual developers. Versions of Text::LineFold starting from 2019.001 and earlier contained security vulnerabilities. These vulnerabilities were caused by repeated output based on the number of special line breaks, which cou...

Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Description Symfony\Component\Mime\Address is the value-object every Symfony Mailer address to/cc/bcc/from/reply-to flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email...

BentoML 代码注入漏洞

BentoML is an open-source model service library developed by BentoML. It is used to build high-performance and scalable artificial intelligence applications using Python. Prior to BentoML 1.4.39, there was a code injection vulnerability. This vulnerability stemmed from the envs.name value...

PT-2026-44136

Description SymfonyComponentMimeAddress is the value-object every Symfony Mailer address to/cc/bcc/from/reply-to flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email...

CVE-2026-9277

shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore passed...

Net::Statsd::Lite 注入漏洞

Net::Statsd::Lite is a lightweight StatsD client developed by Robert Rothenberg, which supports multiple metric data packets. Versions of Net::Statsd::Lite prior to 0.10.0 have a vulnerability due to the setadd method not checking for line breaks, colons, or pipes, which may lead to metric...

Net::Statsd::Lite 注入漏洞

Net::Statsd::Lite is a lightweight StatsD client developed by Robert Rothenberg, which supports multiple metric data packets. Versions of Net::Statsd::Lite prior to 0.9.0 have a injection vulnerability. This vulnerability arises from the lack of checks for line breaks, colons, or vertical bars in...

Gotenberg 参数注入漏洞

Gotenberg is an open-source, developer-friendly API developed by Gotenberg. It is used to convert various document formats into PDF files. Versions of Gotenberg 8.30.1 and earlier contained a parameter injection vulnerability. This vulnerability stemmed from the fact that the metadata writing...

CLSA-2026-1776953969 vim: Fix of CVE-2022-2889

CVE-2022-2889: fix use-after-free with multiple line breaks in Vim9 expression by deferring the free of evalarg-evaltofree...

Radare2 操作系统命令注入漏洞

Radare2 is an open-source reverse framework for Unix-based geeks, developed by Radare. Versions of Radare2 prior to 6.1.4 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the printgvars function in the PDB parser, which allowed command...

WordPress plugin HTTP Headers 注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-31952

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description Vikunja, a self-hosted task management platform, has an issue where the CalDAV output generator doesn't properly escape characters in iCalendar VTODO entries. Specifically, user-controlled task title...

FTL 注入漏洞

FTL is an open-source network advertising interception and statistics tool developed by Pi-hole. Versions of FTL from 6.0 to 6.6 had a injection vulnerability. This vulnerability stemmed from configuration parameters of upstream DNS servers, allowing authenticated attackers to inject arbitrary...

FTL 注入漏洞

FTL is an open-source network advertising interception and statistics tool developed by Pi-hole. Versions of FTL from 6.0 to 6.6 had a injection vulnerability. This vulnerability stemmed from the DNS CNAME record configuration parameters, allowing authenticated attackers to inject arbitrary dnsma...

FTL 注入漏洞

FTL is an open-source network advertising interception and statistics tool developed by Pi-hole. Versions of FTL from 6.0 to 6.6 had a injection vulnerability. This vulnerability stemmed from configuration parameters in DNS host records, allowing authenticated attackers to inject arbitrary dnsmas...

Pymetasploit3 安全漏洞

Pymetasploit3 is an automated library developed by Dan McInerney. Versions of pymetasploit3 prior to 1.0.6 contain security vulnerabilities. These vulnerabilities stem from the console.runmodulewithoutput function, which allows for the injection of line breaks into module options, potentially...

H3 注入漏洞

H3 is an open-source HTTP framework developed by H3. Versions prior to H3 1.15.6, as well as versions 2.0.0 to 2.0.1-rc.14, have a vulnerability related to injection attacks. This vulnerability stems from the lack of line break cleaning in the createEventStream function, which may allow the serve...

CVE-2026-24001

A flaw was found in jsdiff. A specially crafted patch input containing specific line break characters can cause the parsePatch method to enter an infinite loop, leading to uncontrolled memory consumption and a process crash, resulting in a denial of service. The applyPatch method is similarly...

CPython security vulnerabilities

CPython is a Python interpreter implemented in C language by the Python Foundation. CPython has a security vulnerability that stems from the email module’s improper handling of line breaks during email serialization, which may lead to header injection attacks...

DEBIAN-CVE-2026-24001

jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters \r, \u2028, or \u2029 can cause the parsePatch method to enter an infinite loop. It then consumes memory...