GHSA-995V-FVRW-C78M opentelemetry-go's Schema ParseFile leaks file descriptors on each parse

Summary go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file...

Missing Release of File Descriptor or Handle after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of File Descriptor or Handle after Effective Lifetime via the ParseFile function. An attacker can cause the process to exhaust available file descriptors and disrupt service by repeatedly triggering schema parsing...

Missing Release of File Descriptor or Handle after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of File Descriptor or Handle after Effective Lifetime via the ParseFile function. An attacker can cause the process to exhaust available file descriptors and disrupt service by repeatedly triggering schema parsing...

opentelemetry-go's Schema ParseFile leaks file descriptors on each parse

Summary go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file...

PT-2026-44726

Summary go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file...

CVE-2026-39859 LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile and parseFile, but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty...

EUVD-2026-20611

LiquidJS: renderFile / parseFile bypass configured root and allow arbitrary file read...

OSV-2026-74 Heap-buffer-overflow in ___interceptor_strtol

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=476180586 Crash type: Heap-buffer-overflow READ 3 Crash state: interceptorstrtol Assimp::ObjFileParser::getFace Assimp::ObjFileParser::parseFile...

OSV-2023-201 UNKNOWN READ in Assimp::SMDImporter::ParseNodeInfo

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57218 Crash type: UNKNOWN READ Crash state: Assimp::SMDImporter::ParseNodeInfo Assimp::SMDImporter::ParseNodesSection Assimp::SMDImporter::ParseFile...

tinytoml Denial of Service Vulnerability

tinytoml is a small Japanese TOML parser for C++11. A denial of service vulnerability exists in tinytoml version v0.4, which originates from a stack overflow in the parseFile function when an input file is fed into the program. A remote attacker can exploit this vulnerability to cause a denial of...

tinytoml 缓冲区错误漏洞

tinytoml is a small Japanese TOML parser for C++11. A denial of service vulnerability exists in tinytoml version v0.4, which originates from a stack overflow in the parseFile function when an input file is fed into the program. A remote attacker can exploit this vulnerability to cause a denial of...