Diesel: Possible unaligned data access for implementations of `SqliteAggregate`

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface. To store an instance of the custom aggregate processor Diesel relied on the sqlite3aggregatecontext function provided by sqlite. This function doesn't provide any guarantees about alignment of t...

GHSA-H5X4-M2QF-R4F2 Diesel's SQLite backend has possible UTF-8 corruption

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

Client-Side Enforcement of Server-Side Security

Overview Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security in the GetSettings process. An attacker can obtain sensitive information by sending authenticated requests to the API, which returns protected fields such as authentication secrets, node...

PT-2026-36920

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.8 Description An authenticated user can access the 'GET /api/settings' endpoint to retrieve sensitive configuration values, such as node.secret. This secret is accepted by the AuthRequired function via the...

RUSTSEC-2026-0135 Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend

Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debugquery function as Display and Debug output. For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a reprru...

Possible unaligned data access for implementations of `SqliteAggregate`

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface. To store an instance of the custom aggregate processor Diesel relied on the sqlite3aggregatecontext function provided by sqlite. This function doesn't provide any guarantees about alignment of t...

PT-2021-10311 · Apache · Apache Hive

Name of the Vulnerable Software and Affected Versions: Apache Hive versions prior to 2.3.8 Description: The issue is related to Apache Hive's cookie signature verification, which used a non-constant time comparison. This comparison is known to be vulnerable to timing attacks, potentially allowing...