Lucene search
K

205 matches found

OSV
OSV
added 2026/06/25 5:16 a.m.2 views

DEBIAN-CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS6.3AI score0.0036EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/19 7:36 p.m.5 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the parse function. An attacker can cause memory corruption by mutating the input JSON string during parsing callbacks, which leads to the parser accessing freed memory. Remediation Upgrade oj to version 3.17.3 or...

9.1CVSS5.8AI score0.00117EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/09 2:27 p.m.26 views

shell-quote quote() does not escape newlines in object .op values

Summary shell-quote's quote function did not validate object-token inputs against the operator model used by parse. The .op field was backslash-escaped character by character using /./g, which in JavaScript does not match line terminators \n, \r, U+2028, U+2029. A line terminator in .op therefore...

9.2CVSS5.6AI score0.00848EPSS
Exploits1References7Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.12 views

CVE-2026-41507

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the...

9.8CVSS5.9AI score0.00393EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.11 views

Mermaid 安全漏洞

Mermaid is an open-source application developed by mermaid-js. It uses text and code to create charts and visualizations. Versions of Mermaid prior to 10.9.6 and 11.15.0 have security vulnerabilities. These vulnerabilities arise from the use of the excludes property when rendering Gantt charts; i...

5.3CVSS5.9AI score0.00384EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/28 5:4 p.m.10 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the Parse function. An attacker can exhaust CPU resources and generate excessive log output by sending oversized or malformed headers that are processed without length checks. Remediation...

6.9CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 5:4 p.m.13 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the Parse function. An attacker can exhaust CPU resources and generate excessive log output by sending oversized or malformed headers that are processed without length checks. Remediation...

6.9CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 5:4 p.m.10 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the Parse function. An attacker can exhaust CPU resources and generate excessive log output by sending oversized or malformed headers that are processed without length checks. Remediation...

6.9CVSS5.8AI score0.00237EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/27 9:33 p.m.14 views

Symfony hardened the parser when handling untrusted input

Description Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse. When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level Parser::parseBlock and inline Inline::parseSequence /...

5.8AI score0.00089EPSS
Exploits0References6Affected Software2
NVD
NVD
added 2026/05/20 8:16 p.m.12 views

CVE-2026-47099

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

6.1CVSS0.00358EPSS
Exploits0References3
CVE
CVE
added 2026/05/20 6:0 p.m.17 views

CVE-2026-47099

TeleJSON prior to 6.0.0 contains a DOM-based XSS via the parse() reviver that reads a constructor-name property and passes it to new Function(), allowing arbitrary JavaScript execution in contexts such as postMessage for cross-frame communication. Affected component: TeleJSON parse() in versions ...

6.1CVSS6AI score0.00358EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/20 6:0 p.m.29 views

CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

6.1CVSS0.00358EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/20 6:0 p.m.10 views

CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

6.1CVSS6AI score0.00358EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/20 6:0 p.m.7 views

CVE-2026-47099

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

6.1CVSS6AI score0.00358EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/14 8:23 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attack...

8.7CVSS5.8AI score0.00384EPSS
Exploits0References2
NVD
NVD
added 2026/05/08 2:16 p.m.11 views

CVE-2026-41507

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the...

9.8CVSS0.00393EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/08 1:49 p.m.14 views

EUVD-2026-28597

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the...

9.8CVSS6.1AI score0.00393EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.9 views

math-codegen 代码注入漏洞

Math-CodeGen is an interpreter developed by Mauricio Poppe that generates JavaScript code from mathematical expressions. Versions of Math-CodeGen prior to 0.4.3 contained a code injection vulnerability. This vulnerability stemmed from the cg.parse function not properly cleaning string literal...

9.8CVSS6AI score0.00393EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/17 10:31 p.m.9 views

Arbitrary Code Injection

Overview math-codegen is a Generates code from mathematical expressions Affected versions of this package are vulnerable to Arbitrary Code Injection via the parse function. An attacker can execute arbitrary code by supplying crafted input that is injected directly into a dynamically created...

9.8CVSS6.2AI score0.00393EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.9 views

PT-2026-37126

Name of the Vulnerable Software and Affected Versions math-codegen versions prior to 0.4.3 Description String literal content passed to the cg.parse function is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when...

9.8CVSS6.7AI score0.00393EPSS
Exploits0References11
Rows per page
Query Builder