CVE-2026-2604

Summary: CVE-2026-2604 affects evolution-data-server. An inconsistent comparison logic in the addressbook backend lets a Flatpak/D-Bus user craft a malicious URI with directory traversal sequences. This URI is stored during contact creation/modification and later rechecked with lower strictness d...

CVE-2026-49233

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache...

EUVD-2026-35063

Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache...

CLSA-2026-1779099998 ruby: Fix of CVE-2023-28755

CVE-2023-28755: fix ReDoS in URI parser by converting greedy quantifiers to possessive quantifiers in RFC3986URI and RFC3986relativeref...

CVE-2026-44928

CVE-2026-44928 affects uriparser prior to 1.0.2. The EqualsUri function can misclassify two unequal URIs as equal, per EUVD-2026-28537 and PT-2026-38682. A remediation is to update to version 1.0.2 or later; PT-2026-38682 also recommends restricting EqualsUri usage as a temporary workaround. No e...

Astra Linux – Vulnerability in Twisted

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF...

CVE-2026-42371

A flaw was found in uriparser. This vulnerability occurs due to numeric truncation in text range comparison when an application processes extremely long Uniform Resource Identifiers URIs, specifically those with lengths in gigabytes. A local attacker could exploit this flaw by providing a...

EUVD-2026-25776

uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the text range comparison process when handling extremely long Uniform Resource Identifiers. An attacker can cause the application to become unavailable by supplying a malformed, excessively long URI...

CVE-2026-5263

URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL woul...

CVE-2026-31873

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...

sbt 操作系统命令注入漏洞

SBT is an open-source build tool for Scala, Java, and other languages. Prior to SBT 1.12.7, there was a vulnerability related to operating system command injection. This vulnerability stemmed from unvalidated user-controlled URI fragments, which could allow arbitrary commands to be executed on...

CVE-2025-11143

A flaw was found in org.eclipse.jetty. The Jetty URI parser handles invalid or unusual Uniform Resource Identifiers URIs differently compared to other common parsers. This discrepancy, known as differential parsing, can lead to security bypasses in systems that use multiple components to process...

vert.x security vulnerability

Vert.x is an open-source toolkit developed by Eclipse Vert.x. There is a security vulnerability in Vert.x, which stems from improper implementation of the static program cache. This vulnerability could be exploited by specially crafted request URIs, leading to denial-of-service attacks against...

Security update for openssh8.4

This update for openssh8.4 fixes the following issues: CVE-2025-61984: Fixed code execution via control characters in usernames when a ProxyCommand is used bsc1251198 CVE-2025-61985: Fixed code execution via '\0' character in ssh:// URI when a ProxyCommand is used bsc1251199 Patch Instructions: T...

Google Android Information Disclosure Vulnerability (CNVD-2025-19990)

Google Android is a Linux-based open source operating system from Google. Google Android suffers from an information disclosure vulnerability that is caused by double encoding of URIs in multiple locations. The vulnerability can be exploited by an attacker to obtain sensitive information...

Google Android 安全漏洞

Google Android is a Linux-based open source operating system from Google. Google Android suffers from an information disclosure vulnerability that is caused by double encoding of URIs in multiple locations. The vulnerability can be exploited by an attacker to obtain sensitive information...

firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended...

CLSA-2025-1745585192 ruby: Fix of 3 CVEs

CVE-2025-27219: fix a potential Denial of Service DoS vulnerability in cookie parsing - CVE-2025-27220: fix ReDoS vulnerability exists in the escapeElement method - CVE-2025-27221: fix he URI handling methods URI.join, URImerge, URI+...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS by a hash flooding attack, due to inefficient array processing when handling URI parts. Details Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its intended and...