Lucene search
K

17 matches found

CVE
CVE
added 2026/06/22 5:33 p.m.12 views

CVE-2026-54298

Astro, prior to 6.4.6, is vulnerable to XSS via unescaped attribute names when spreading props onto HTML elements. The spreadAttributes path iterates over object keys and passes them to addAttribute, which interpolates the key into the HTML output without escaping, allowing attackers to inject ev...

6.1CVSS6AI score0.0016EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/06/22 5:33 p.m.31 views

CVE-2026-54298 Astro: XSS via Unescaped Attribute Names in Spread Props

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props ...

4.2CVSS0.0016EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.9 views

Astra Linux – Vulnerability in python-pymysql

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input, because keys are not escaped by escapedict...

6.3CVSS6.6AI score0.00691EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/16 2:57 p.m.9 views

Cross-site Scripting (XSS)

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the addAttribute function, which interpolates unescaped object keys as HTML attribute names when spreadi...

6.1CVSS5.9AI score0.0016EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/07 1:15 p.m.5 views

CVE-2026-41490

Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating...

8.3CVSS6AI score0.00265EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/28 6:3 a.m.5 views

CVE-2026-40967

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0...

8.6CVSS5.2AI score0.00394EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.6 views

PT-2026-26090

Name of the Vulnerable Software and Affected Versions Kysely versions up to and including 0.28.11 Description Kysely, a type-safe TypeScript SQL query builder, has a SQL injection issue in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function directly appends...

8.2CVSS5.9AI score0.00419EPSS
Exploits1References11
OSV
OSV
added 2025/12/23 8:8 p.m.5 views

GHSA-R399-636X-V7F6 LangChain serialization injection vulnerability enables secret extraction

Context A serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using JSON.stringify. The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark...

8.6CVSS7.2AI score0.00746EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2025/12/23 8:8 p.m.14 views

LangChain serialization injection vulnerability enables secret extraction

Context A serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using JSON.stringify. The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark...

9.1CVSS7.3AI score0.00746EPSS
Exploits0References6Affected Software2
RedHat Linux
RedHat Linux
added 2024/11/12 8:56 a.m.4 views

python-pymysql: SQL injection if used with untrusted JSON input

A flaw was found in PyMySQL. When processing untrusted JSON input, keys are not escaped by the escapedict function due to insufficient input sanitization, allowing an attacker to inject malicious SQL queries...

6.3CVSS5.8AI score0.00691EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2024/07/02 3:29 p.m.5 views

python-pymysql: SQL injection if used with untrusted JSON input

A flaw was found in PyMySQL. When processing untrusted JSON input, keys are not escaped by the escapedict function due to insufficient input sanitization, allowing an attacker to inject malicious SQL queries...

6.3CVSS5.8AI score0.00691EPSS
Exploits1References4
OSV
OSV
added 2024/05/21 4:15 p.m.2 views

DEBIAN-CVE-2024-36039

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escapedict...

6.3CVSS6.5AI score0.00691EPSS
Exploits1References1
OSV
OSV
added 2024/05/21 4:15 p.m.10 views

AZL-43726 CVE-2024-36039 affecting package python-PyMySQL 0.9.3-3

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escapedict...

6.3CVSS6.6AI score0.00691EPSS
Exploits1References1
OSV
OSV
added 2024/05/21 4:15 p.m.8 views

AZL-44457 CVE-2024-36039 affecting package python-PyMySQL for versions less than 1.1.1-3

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escapedict...

6.3CVSS6.6AI score0.00691EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2020/09/24 12:0 a.m.3 views

PT-2020-6809 · Mediawiki +1 · Mediawiki +1

Name of the Vulnerable Software and Affected Versions: MediaWiki versions 1.34.x through 1.34.3 Description: An issue was discovered in MediaWiki where the NS filter on Special:Contributions uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild...

9.8CVSS5.7AI score0.04098EPSS
Exploits6References66
OSV
OSV
added 2018/05/29 8:29 p.m.2 views

DEBIAN-CVE-2015-9244

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape which could lead to SQL Injection...

9.8CVSS7.4AI score0.02443EPSS
Exploits1References1
OSV
OSV
added 2018/05/29 8:29 p.m.20 views

UBUNTU-CVE-2015-9244

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape which could lead to SQL Injection...

9.8CVSS5.9AI score0.02443EPSS
Exploits1References4
Rows per page
Query Builder