CVE-2026-53655 node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...

CVE-2026-53655

node-tar (node-tar) before version 7.5.16 is vulnerable: it applies a PAX extended header size override to the next header entry, including intermediary L/K/x headers, which desynchronizes the stream cursor from other tar implementations. This yields a tar-parser interpretation differential (CWE-...

Linux Distros Unpatched Vulnerability : CVE-2024-10491

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data i...

EUVD-2025-4104

Malicious code in bioql PyPI...

EUVD-2022-0673

Malicious code in bioql PyPI...

CVE-2025-48936 ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection

Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...

thunderbird: User Interface (UI) Misrepresentation of attachment URL

A flaw was found in Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the...

CVE-2025-25290

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression /+; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS Regul...

CVE-2025-25290

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression /+; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS Regul...

CVE-2025-25290

CVE-2025-25290 affects Octokit’s request.js: the code path that parses HTTP Link headers uses an unbounded RegExp (/]+)>; rel="deprecation"/) to match deprecation links. This enables a ReDoS (Regular Expression Denial of Service) by crafted link headers, causing high CPU use and potential serv...

CVE-2025-25290 @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression /+; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS Regul...

GHSA-RMVR-2PP2-XJ38 @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Summary The regular expression /+; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS Regular Expression Denial of Service attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic...

@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Summary The regular expression /+; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS Regular Expression Denial of Service attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic...

SUSE CVE-2024-10491

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and to...

PT-2025-7073

Name of the Vulnerable Software and Affected Versions: @octokit/request versions 1.0.0 through 9.2.1 Description: The regular expression /+; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS Regular Expression Denial of Service attack. This vulnerability...

PT-2025-7071

Name of the Vulnerable Software and Affected Versions: @octokit/plugin-paginate-rest versions 1.0.0 through 11.4.1 Description: The issue is a Regular Expression Denial of Service ReDoS vulnerability that can be triggered when calling octokit.paginate.iterator with a specially crafted octokit...

CVE-2024-10491

A flaw was found in the Express Node.js framework. In certain versions, an attacker may be able to trigger an arbitrary resource injection attack via the link header when unsanitized data is used...

GHSA-CM5G-3PGC-8RG4 Express ressource injection

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and to...

Express ressource injection

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and to...

CVE-2024-10491

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and to...