CVE-2026-41710 Cache Exhaustion in Stateful Retries leads to Denial of Service

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to...

360solutions-bc-mcp (>=0.5.3 <=0.5.6), 3di-cmd-client (>=0.0.1a0 <=0.0.3) +781 more potentially affected by CVE-2026-48526 via pyjwt (>=2.0.0 <=2.12.1)

pyjwt PYPI version =2.0.0, =0.5.3, =0.0.1a0, =1.1.1, =0.1.0, =0.1.1, =0.1.31, =0.1.0, =1.5.0, =0.1.0, =0.2.9, =0.5.0, =1.89.5, =1.420.4 and more Source cves: CVE-2026-48526 Source advisory: SNYK:PYTHON-PYJWT-17053408...

PT-2026-43064

Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0-beta.1 through 4.0.0 Description An infinite loop exists in the Alt-Svc response header parser within src/hackney altsvc.erl. When the parse token/2 function receives a byte that is not a token, whitespace, or comma such...

PT-2026-43069

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney ws.erl copies the host, path, headers ExtraHeaders, and protocols options from the caller-supplied opts map into the intern...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +11 more potentially affected by unknown CVE via @antv/g-plugin-dom-interaction (>=2.0.0 <=2.1.9)

@antv/g-plugin-dom-interaction NPM version =2.0.0, =2.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.56 - @antv/g6 =5.0.46 - @antv/g6-extension-3d =0.1.20 - @antv/s2 =2.4.12-alpha.1 Source cves: unknown CVE Source advisory:...

1byte-react-design (>=1.7.1 <=1.14.0), @aaf-comp/graph-widget (>=1.0.0 <=1.0.3) +312 more potentially affected by unknown CVE via @antv/g-lite (>=2.0.0 <=2.7.0)

@antv/g-lite NPM version =2.0.0, =1.7.1, =1.0.0, =1.1.43, =5.0.48, =1.0.1, =1.0.4, =2.0.0, =2.0.0, =1.0.0, =2.0.0, =3.0.3, =3.0.0, =2.0.0, =0.5.6, =6.0.0, =6.3.1 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGLITE-16755025...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +7 more potentially affected by unknown CVE via @antv/g-plugin-canvas-renderer (>=2.0.0 <=2.5.1)

@antv/g-plugin-canvas-renderer NPM version =2.0.0, =2.0.0, =1.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.58 - @antv/g6 =5.0.46 - @antv/s2 =2.4.12-alpha.1 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINCANVASRENDERER-16754430...

4house-libts-places-autocomplete (=1.0.0), @77sol-ui/atoms (>=5.1.0 <=5.4.0) +278 more potentially affected by unknown CVE via jest-canvas-mock (>=2.0.0-beta.1 <=2.5.2)

jest-canvas-mock NPM version =2.0.0-beta.1, =5.1.0, =1.0.1, =1.0.0, =1.0.0, =0.0.0, =0.0.1-react-native, =2.1.0-alpha.0, =2.1.0-alpha.0, =2.1.0-alpha.0, =2.1.0-alpha.250, =2.1.0-alpha.250, =0.0.5, =0.0.6, =0.3.113, =0.5.0 and more Source cves: unknown CVE Source advisory:...

NPM: n8n Has an Arbitrary File Read via Git Node

NPM: n8n Has an Arbitrary File Read via Git Node vulnerability discovered by ? in WordPress Npm n8n versions 1.123.43...

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.2.0...

CVE-2026-33635

The CVE-2026-33635 entry concerns the iCalendar Ruby library. Affected versions are 2.0.0 up to, but not including, 2.12.2, where ICS serialization fails to sanitize URI property values in calendar data. Specifically, Icalendar::Values::Uri falls back to the raw input when URI.parse fails and the...

@tinacms/app (>=0.0.0-00aadfd-20260223215804 <=2.3.26), @tinacms/cli (>=0.0.0-00aadfd-20260223215804 <=2.1.7) +7 more potentially affected by CVE-2026-29066 via @tinacms/schema-tools (>=2.0.0 <=2.6.0)

@tinacms/schema-tools NPM version =2.0.0, =0.0.0-00aadfd-20260223215804, =0.0.0-00aadfd-20260223215804, =0.0.0-00aadfd-20260223215804, =0.0.0-00aadfd-20260223215804, =2.0.0, =0.0.0-00aadfd-20260223215804, =0.0.0-00aadfd-20260223215804, =0.0.0-00aadfd-20260223215804, =0.0.0-00aadfd-20260223215804,...

Apache IoTDB has an Insecure Default Configuration Vulnerability

A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue...

acceldata-o2a (=1.0.0), aglow (>=0.1.0rc3 <=0.1.0rc4) +30 more potentially affected by CVE-2024-56373 via apache-airflow (>=2.0.0 <=2.11.0)

apache-airflow PYPI version =2.0.0, =0.1.0rc3, =0.1.0, =0.6.0, =0.0.1, =0.6.4, =1.0.0, =0.2.0, =2.10.3, =0.3.12, =1.8.0rc2, =4.3.0, =6.0.1 and more Source cves: CVE-2024-56373 Source advisory: SNYK:PYTHON-APACHEAIRFLOW-15339025...

@kimuson/claude-code-viewer (>=0.4.2 <=0.5.9), @netlify/agent-runner-cli (>=1.0.0-broken <=1.58.3) +16 more potentially affected by CVE-2026-24053 via @anthropic-ai/claude-code (>=2.0.0 <=2.0.69)

@anthropic-ai/claude-code NPM version =2.0.0, =0.4.2, =1.0.0-broken, =0.0.1-rc.1, =0.12.0, =0.5.2, =0.12.1, =1.1.43, =0.0.0, =0.1.2, =0.11.1, =0.11.0, =0.11.2 - happyzebra-cli =0.11.2 and more Source cves: CVE-2026-24053 Source advisory: SNYK:JS-ANTHROPICAICLAUDECODE-15202063...

go-tuf data falsification vulnerability

go-tuf is a framework developed by The Update Framework for protecting software update systems. Versions of go-tuf from 2.0.0 to 2.3.1 had a data manipulation vulnerability due to improper configuration of the signature threshold. This vulnerability could allow unauthorized modifications to TUF...

app.tozzi.mail:pec-parser (=4.0.0), app.tozzi:uudecoder (=4.0.0) +1243 more potentially affected by CVE-2025-7962 via com.sun.mail:jakarta.mail (>=2.0.0 <=2.0.1)

com.sun.mail:jakarta.mail MAVEN version =2.0.0, =0.2.0, =0.2.0, =2.0.1, =2.0.0, =0.1, =0.4, =1.0.0, =2022.3.4.0, =1.0.0-JDK21, =1.0.3.2-JDK21 - cn.sunyblog.easymail:easymail-spring-boot-starter3 =1.0.1 and more Source cves: CVE-2025-7962 Source advisory: OSV:GHSA-9342-92GG-6V29...

@alfresco/adf-testing (=6.0.0-A.2-8258), @genexus/ngx-aws-deploy (=5.2.1) +6 more potentially affected by CVE-2025-5889 via brace-expansion (>=2.0.0 <=2.0.1)

brace-expansion NPM version =2.0.0, =1.16.0, =1.0.1, =0.0.20, =15.0.0 - fluid-webdriver =1.1.2 - nx-cargo =1.0.0-alpha.2 Source cves: CVE-2025-5889 Source advisory: OSV:GHSA-V6H2-P8H4-QCJW...

log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value

A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint...

CVE-2024-53733

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in harshtohit111 Fence URL fence-url allows Stored XSS.This issue affects Fence URL: from n/a through = 2.0.0...