CVE-2026-41672

A flaw was found in xmldom and @xmldom/xmldom, a JavaScript module for parsing and serializing XML. This vulnerability allows an attacker to inject malicious content into XML comments. By doing so, the attacker can prematurely close a comment and insert unauthorized XML elements into the final...

GHSA-JH37-X3FV-4X72 aiograpi: Unsafe signup challenge path handling

aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended...

PT-2026-42861

aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended...

SUSE CVE-2026-41673

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DO...

CVE-2026-41674

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...

EUVD-2026-28290

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...

EUVD-2026-28289

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...

EUVD-2026-28288

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DO...

CVE-2026-41672

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or...

EUVD-2026-28285

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or...

GHSA-7587-4WV6-M68M rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895

Summary It was possible to trigger an unhandled edge case in the Rust Crypto rsa crate through rPGP packet parsing functionality, and crash the process that runs rPGP. This problem has been patched in a new rsa version. The new release of rPGP ensures a patched version of the rsa crate is in use,...

SUSE CVE-2026-21895

The rsa crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is 1. Version 0.9.10 fixes the issue...

CVE-2026-21895

The rsa crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is 1. Version 0.9.10 fixes the issue...

CVE-2026-21895

The rsa crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is 1. Version 0.9.10 fixes the issue...

UBUNTU-CVE-2026-21895

The rsa crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is 1. Version 0.9.10 fixes the issue...

CVE-2026-21895 rsa crate has potential panic on a prime being equal to 1

The rsa crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is 1. Version 0.9.10 fixes the issue...

CVE-2026-21895

The CVE-2026-21895 entry concerns the rsa crate (Rust) where constructing an RSA private key from components panics if one of the primes equals 1 in versions prior to 0.9.10. The issue is resolved in 0.9.10. Connected sources confirm the affected component (rsa crate) and the fix version, with no...

RSA 安全漏洞

RSA is a Rust library open-sourced by Rust Crypto. A security vulnerability exists in versions of RSA prior to 0.9.10 that stems from a panic when creating an RSA private key, which could lead to mishandling of errors...

GHSA-V7C4-33VF-CQQQ MCPHub has an Improper Authorization vulnerability via its handleSseConnection function

A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/services/sseService.ts. Such manipulation leads to improper authentication. The attack may be launched remotely. The exploit is publicly available and migh...

MCPHub has an Improper Authorization vulnerability via its handleSseConnection function

A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/services/sseService.ts. Such manipulation leads to improper authentication. The attack may be launched remotely. The exploit is publicly available and migh...