Security Bulletin: Expr Built-in Functions Recursion DoS Vulnerability (Fixed in v1.17.7) affects watsonx.data

Summary Expr prior to v1.17.7 is vulnerable to a Denial-of-Service DoS due to unbounded recursion in certain built-in functions, which can cause stack overflow and application crashes when processing deeply nested or cyclic data. Fixed in v1.17.7. This can affect watsonx.data. Vulnerability Detai...

FastFeedParser 安全漏洞

FastFeedParser is a high-performance Python library for parsing RSS and Atom feeds, open-sourced by Kagi Search. Versions of FastFeedParser prior to 0.5.10 contained a security vulnerability. This vulnerability stemmed from the lack of a recursive depth limit when parsing HTML meta refresh tags,...

CVE-2026-26209 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the...

SUSE-SU-2026:20753-1 Security update for protobuf

This update for protobuf fixes the following issues: Security fixes: - CVE-2025-4565: Fixed parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups or messages that could lead to crash due to RecursionError bsc1244663. - CVE-2026-0994: Fixed google.protobuf.A...

PT-2026-25973

Name of the Vulnerable Software and Affected Versions pyasn1 versions prior to 0.6.3 Description The pyasn1 library is susceptible to a Denial of Service DoS attack stemming from uncontrolled recursion when decoding ASN.1 data containing deeply nested structures. An attacker can craft a payload...

CVE-2026-32141

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow...

flatted 安全漏洞

Flatted is a lightweight and fast cycle-based JSON parser developed by Andrea Giammarchi. Versions of Flatted prior to 3.4.0 contained a security vulnerability. This vulnerability stemmed from the recursive depth of the parse function when handling specially crafted payloads, which could lead to ...

OPENSUSE-SU-2026:20340-1 Security update for cJSON

This update for cJSON fixes the following issues: - Update to version 1.7.19 Check for NULL in cJSONDetachItemViaPointer. Check overlap before calling strcpy in cJSONSetValuestring. Fix Max recursion depth for cJSONDuplicate to prevent stack exhaustion. Allocate memory for the temporary buffer wh...

python: protobuf: Protobuf: Denial of Service due to recursion depth bypass

A flaw was found in protobuf. A remote attacker can exploit this denial-of-service DoS vulnerability by supplying deeply nested google.protobuf.Any messages to the google.protobuf.jsonformat.ParseDict function. This bypasses the intended recursion depth limit, leading to the exhaustion of Python’...

SUSE-SU-2026:20657-1 Security update for libxslt, libxml2

This update for libxslt, libxml2 fixes the following issues: libxml2: - CVE-2026-0990: call stack overflow leading to application crash due to infinite recursion in xmlCatalogXMLResolveURI bsc1256807, bsc1256811 - CVE-2026-0992: excessive resource consumption when processing XML catalogs due to...

python: protobuf: Protobuf: Denial of Service due to recursion depth bypass

A flaw was found in protobuf. A remote attacker can exploit this denial-of-service DoS vulnerability by supplying deeply nested google.protobuf.Any messages to the google.protobuf.jsonformat.ParseDict function. This bypasses the intended recursion depth limit, leading to the exhaustion of Python’...

CLSA-2026-1772451263 protobuf: Fix of CVE-2026-0994

CVE-2026-0994: recursion depth bypass in jsonformat.ParseDict...

Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack

Impact In simple words, some programs that use .flatten or .isEqual could be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation...

PT-2026-22841

Name of the Vulnerable Software and Affected Versions Underscore.js versions prior to 1.13.8 Description Underscore.js, a JavaScript utility-belt library, contains an issue in the .flatten and .isEqual functions. These functions utilize recursion without a depth limit, potentially leading to a...

CLSA-2026-1772453362 protobuf: Fix of CVE-2026-0994

CVE-2026-0994: recursion depth bypass in jsonformat.ParseDict...

RHEL 9 : protobuf (RHSA-2026:3219)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:3219 advisory. The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet...

RHEL 10 : protobuf (RHSA-2026:3218)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:3218 advisory. The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet...

RockyLinux 9 : protobuf (RLSA-2026:3095)

The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:3095 advisory. python: protobuf: Protobuf: Denial of Service due to recursion depth bypass CVE-2026-0994 Tenable has extracted the preceding description block directly from the...

SUSE SLED15 / SLES15 Security Update : protobuf (SUSE-SU-2026:0618-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0618-1 advisory. i - CVE-2026-0994: Fixed google.protobuf.Any recursion depth bypass in Python jsonformat.ParseDict bsc1257173. Tenable...

AlmaLinux 10 : protobuf (ALSA-2026:3094)

The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:3094 advisory. python: protobuf: Protobuf: Denial of Service due to recursion depth bypass CVE-2026-0994 Tenable has extracted the preceding description block directly from the...