GHSA-5F5R-95PG-XRPM Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Summary Some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15...

Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Summary Some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15...

CVE-2026-39376

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

EUVD-2026-19915

FastFeedParser has an infinite redirect loop DoS via meta-refresh chain...

GHSA-4GX2-PC4F-WQ37 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain

Summary When parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh response...

FastFeedParser has an infinite redirect loop DoS via meta-refresh chain

Summary When parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh response...

Uncontrolled Recursion

Overview fastfeedparser is a High performance RSS, Atom, JSON and RDF feed parser in Python Affected versions of this package are vulnerable to Uncontrolled Recursion through the parse function when processing HTML responses containing a tag, which leads to unbounded recursion without a redirect...

PYSEC-2026-60

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

CVE-2026-39376

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

PYSEC-2026-60

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

CVE-2026-39376

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

CVE-2026-39376 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

CVE-2026-39376 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

CVE-2026-39376

FastFeedParser is affected by CVE-2026-39376 prior to version 0.5.10. When parse() fetches a URL returning an HTML page with a tag, it may recursively call itself on the redirect URL without a depth limit, visited-URL deduplication, or redirect count cap. An attacker-controlled server that emits...

CVE-2026-34969

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

FastFeedParser 安全漏洞

FastFeedParser is a high-performance Python library for parsing RSS and Atom feeds, open-sourced by Kagi Search. Versions of FastFeedParser prior to 0.5.10 contained a security vulnerability. This vulnerability stemmed from the lack of a recursive depth limit when parsing HTML meta refresh tags,...

PT-2026-31006

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse fetches a URL that returns an HTML page containing a tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An...

EUVD-2026-19442

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell...

CVE-2026-35022

Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority CNA. It was determined that the -p flag behavior is documented in Anthropic's claude -h output with an explicit warning that non-interactive mode should only be used in trusted directories, making this intended and...

CVE-2026-34969

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...