CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

CVE-2026-23749

Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwisetransferinit accepts a path whose length equals CONFIGGOLIOTHCOAPMAXPATHLEN and copies it using strncpy without...

K000139698: Python vulnerabilities CVE-2016-5636, CVE-2018-1000802, CVE-2022-48565 and CVE-2023-36632

Security Advisory Description CVE-2016-5636 Integer overflow in the getdata function in zipimport.c in CPython aka Python before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer...

CVE-2024-24571 facileManager Systemic Cross-Site Scripting (XSS)

facileManager is a modular suite of web apps built with the sysadmin in mind. For the facileManager web application versions 4.5.0 and earlier, we have found that XSS was present in almost all of the input fields as there is insufficient input validation...

CVE-2023-48863

SEMCMS 3.9 is vulnerable to SQL Injection. Due to the lack of security checks on the input of the application, the attacker uses the existing application to inject malicious SQL commands into the background database engine for execution, and sends some attack codes as commands or query statements...

CVE-2023-36632

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed ...

Apple tvOS 输入验证错误漏洞

Apple tvOS is a set of smart TV operating systems from the American company Apple. An input validation error vulnerability exists in multiple Apple products, where a malicious application could elevate privileges. The vulnerability is fixed in the following products and versions: iOS 15.1 and...

CVE-2021-23362

A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression regexp function, shortcutMatch or fromUrl, then an attacker could craft a regexp which takes an ever increasing amount of time to process,...

CVE-2019-18926

Systematic IRIS Standards Management ISM v2.1 SP1 89 is vulnerable to unauthenticated reflected Cross Site Scripting XSS. A user input related to dialog information is reflected directly in the web page, allowing a malicious user to conduct a Cross Site Scripting attack against users of the...

PwsPHP 1.2.3 - SQL Injection

source: https://www.securityfocus.com/bid/16567/info PwsPHP is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. Successful exploitation could allow an attacker to compromise the...

SaveWebPortal 3.4 - Multiple Directory Traversal Vulnerabilities

source: https://www.securityfocus.com/bid/14643/info SaveWebPortal is prone to multiple directory traversal vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. Exploitation of this vulnerability could lead to a loss of confidentiality an...

Land Down Under 800801 - journal.php?m SQL Injection

Land Down Under 800801 - journal.php?m SQL Injection source: https://www.securityfocus.com/bid/14618/info Land Down Under is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries. Successful exploitati...