1154 matches found
CVE-2026-39836 Panic in Dial and LookupPort when handling NUL byte on Windows in net
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL 0...
Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder)
Security Vulnerability Report: DNS Codec Input Validation Bypass in Netty Encoder + Decoder 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions with codec-dns | | Component | io.netty.handler.codec.dns.DnsCodecUtil | |...
Null Byte Interaction Error (Poison Null Byte)
Overview Affected versions of this package are vulnerable to Null Byte Interaction Error Poison Null Byte due to inadequate validation of domain name labels and lengths in the encodeDomainName and decodeDomainName components. An attacker can cause DNS cache poisoning, bypass domain validation, or...
GHSA-CM33-6792-R9FM Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder)
Security Vulnerability Report: DNS Codec Input Validation Bypass in Netty Encoder + Decoder 1. Vulnerability Summary | Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final and all prior versions with codec-dns | | Component | io.netty.handler.codec.dns.DnsCodecUtil | |...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: php (UTSA-2026-016519)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016519 advisory. In PHP version 8.1. before 8.1.28, 8.2. before 8.2.18, 8.3. before 8.3.5, ifa password stored with passwordhash starts with a null byte \x00, testing a blank string ...
Nokogiri XSLT transform has a memory leak
Summary Nokogiri's Nokogiri::XSLT::Stylesheettransform leaks a small heap allocation when passed a Ruby string parameter containing a null byte. For applications that pass attacker-controlled input through XSLT.transform parameters, this may be a vector for a denial of service attack against...
GHSA-V2FC-QM4H-8HQV Nokogiri XSLT transform has a memory leak
Summary Nokogiri's Nokogiri::XSLT::Stylesheettransform leaks a small heap allocation when passed a Ruby string parameter containing a null byte. For applications that pass attacker-controlled input through XSLT.transform parameters, this may be a vector for a denial of service attack against...
PT-2026-38489
Summary Nokogiri's Nokogiri::XSLT::Stylesheettransform leaks a small heap allocation when passed a Ruby string parameter containing a null byte. For applications that pass attacker-controlled input through XSLT.transform parameters, this may be a vector for a denial of service attack against...
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
Vulnerability Disclosure: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams Summary The encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00'...
NPM: Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
NPM: Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...
GHSA-XHJH-PMCV-23JW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
Vulnerability Disclosure: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams Summary The encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00'...
PT-2026-38372
Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description Netty's DNS codec fails to enforce RFC 1035 domain name constraints during encoding and decoding, creating a bidirectional attack surface. In the encoder, t...
CVE-2026-43861
mutt before 2.3.2 does not check for '\0' in urlpctdecode...
CVE-2026-43861
mutt before 2.3.2 does not check for '\0' in urlpctdecode...
CVE-2026-43861
mutt before 2.3.2 does not check for '\0' in urlpctdecode...
Linux Distros Unpatched Vulnerability : CVE-2026-43861
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - mutt before 2.3.2 does not check for '\0' in urlpctdecode. CVE-2026-43861 Note that Nessus relies on the presence of the package as reported by the vendor...
CLSA-2026-1777541348 flatpak: Fix of CVE-2021-43860
CVE-2021-43860: hidden permissions via null byte in metadata file...
EUVD-2026-26665
An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened...
Missing Release of Memory after Effective Lifetime
Overview nokogiri is a gem for parsing HTML, XML, SAX, and Reader. Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the XSLT::Stylesheettransform function, when a string parameter containing a null byte is processed, preventing...
CVE-2026-42040
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...