CVE-2026-7768

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the...

CVE-2026-7768 @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the...

CVE-2026-7768 @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the...

CVE-2026-7768

The CVE affects @fastify/accepts-serializer where serializer-selection results are cached by the request Accept header without bounds or eviction, allowing an unauthenticated remote client to cause unbounded cache growth and Node.js heap exhaustion leading to a crash. Affected versions are

@fastify/accepts-serializer 安全漏洞

@fastify/accepts-serializer is a plugin developed by Fastify, which automatically selects a serialization method based on the Accept header. Versions of @fastify/accepts-serializer up to 6.0.3 contained security vulnerabilities. These vulnerabilities stemmed from the lack of size limits or evicti...

PT-2026-36915

Name of the Vulnerable Software and Affected Versions @fastify/accepts-serializer versions prior to 6.0.4 Description An issue exists where serializer-selection results are cached using the request Accept header as a key without a size limit or eviction policy. A remote unauthenticated client can...

Uncontrolled Recursion

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion through the toFormData recursive serializer in lib/helpers/toFormData.js. An attacker can crash a process by supplying a deeply nested object as...

EUVD-2025-209570

Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer...

GHSA-C2JG-5CP7-6WC7 Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer

Remote Code Execution via Unsafe Deserialization in Pipecat's LivekitFrameSerializer Summary A critical vulnerability exists in Pipecat's LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit integration. The class's deserialize...

Deserialization of Untrusted Data

Overview pipecat-ai is an An open source framework for voice and multimodal assistants Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialize function of the LivekitFrameSerializer class, which uses pickle.loads on untrusted data received from...

CVE-2025-62373 Pipecat vulnerable to Remote Code Execution by Pickle Deserialization via LivekitFrameSerializer

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit...

CVE-2025-62373 Pipecat vulnerable to Remote Code Execution by Pickle Deserialization via LivekitFrameSerializer

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit...

Pipecat 代码问题漏洞

Pipecat is an open-source development framework developed by Pipecat that supports real-time audio and video stream processing as well as AI-powered dialogue interactions. Versions 0.0.41 to 0.0.93 of Pipecat contain code vulnerabilities. These vulnerabilities stem from the deserialize method of...

GHSA-X6WF-F3PX-WCQX xmldom has XML node injection through unvalidated processing instruction serialization

Summary The package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. ---...

GHSA-J759-J44W-7FR8 xmldom has XML node injection through unvalidated comment serialization

Summary The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. --- Details The issue is in t...

PT-2026-34616

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier Description Seven recursive traversals in lib/dom.js operate without a depth limit. When processing a sufficiently deeply nested...

PT-2026-34615

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions prior to 0.6.0 Description The software allows attacker-controlled comment content to be serialized into XML without validating or neutralizing...

Cross-site Scripting (XSS)

Overview rrweb-snapshot is a rrweb's component to take a snapshot of DOM, aka DOM serializer Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rrweb-snapshot process. An attacker can execute arbitrary web scripts or inject malicious HTML by submitting a speciall...

Linux Distros Unpatched Vulnerability : CVE-2026-34601

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom...

CVE-2026-34601 xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator to be inserted into a...