77 matches found
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the MVG decoder when processing a crafted file due to a missing depth or visited-set check. An attacker can cause a denial of service by supplying a specially crafted MVG file that triggers a stack overflow...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the QUIC stack, when flooded with PATHCHALLENGE frames. A malicious remote peer can exhaust heap memory and terminate a QUIC client or server. Remediation A fix was pushed into the...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free due to missing handler call depth tracking in the processing of XMLGetBuffer, XMLParse, XMLParseBuffer, XMLParserFree, or XMLParserReset from within handlers when a policy violation occurs. An attacker can cause memory...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the serialization algorithm in the PrefetchPageLinks function. An attacker can cause a denial of service by supplying specially crafted user input that is reflected and processed...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the parsing of maliciously crafted Git repository data, such as .pack, .idx, or loose objects. An attacker can cause the application to panic by providing a payload that excee...
CVE-2026-49324
The CVE-2026-49324 affects the Wireless Control Module (WCM) in the Indian Motorcycle Scout Bobber + Tech 2025 model year. The root cause is an exploitable brute‑force lockout that is reachable via any unauthenticated in‑vehicle network message, with no session binding and no reset on power cycle...
CVE-2026-49322
Weak authentication in the Wireless Control Module WCM of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The...
Heap-based Buffer Overflow
Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the decodemaskimage function. An attacker can cause a heap buffer overflow by providing a crafted HEIF file containing a mask image where the iloc extent exceeds the allocated pixel buffer, leading to...
Information Exposure
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Information Exposure via the sandbox CallSite handling. An attacker can leak absolute host filesystem paths by causing error.stack or...
Uncaught Exception
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Uncaught Exception through the Promise constructor when an unhandled rejection propagates from the sandboxed environment to the host...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GET /api/namespaces/:tenant process. An attacker can access sensitive information belonging to other tenants by authenticating with an API Key and bypassing membership checks...
Use of a Broken or Risky Cryptographic Algorithm
Overview paramiko is a library for making SSH2 connections client or server. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the RSA key handling by allowing the use of the SHA-1 algorithm. An attacker can compromise the integrity of...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the enforcement of X.509 nameConstraints due to case-sensitive comparisons for dNSName and the domain portion of rfc822Name. An attacker can gain unauthorized certificate validation and potential...
Improper Validation of Specified Quantity in Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input due to improper handling of oversized Subject Alternative Name fields during certificate validation. An attacker can bypass certificate validation by crafting a certificate with an...
Use of Uninitialized Resource
Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Use of Uninitialized Resource via the hasmambalayers function in the KV Block Handler. An attacker can cause unintended behavior by leaking data...
Uncontrolled Recursion
Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the smartLeftAngle function in smartypants.go file. An attacker can cause a panic or read unintended memory by providing input containing a character in the remaining text. PoC package main import "bytes" "fmt"...
Unintended Proxy or Intermediary ('Confused Deputy')
Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via improper hostname normalization in the NOPROXY environment variable. An attacker controlling reques...
Incomplete List of Disallowed Inputs
Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the isVMLowLevelOptionForbidden function in lxd/project/limits/permissions.go. An attacker can set forbidden low-level VM configuration keys, such as raw.apparmor or raw.qemu.conf in a project th...