42 matches found
CVE-2026-34043 Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...
CVE-2026-34043
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...
CVE-2026-34043 Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...
CVE-2026-34043
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...
CVE-2026-34043 Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but ha...
CVE-2026-34043
CVE-2026-34043 affects the Node.js module serialize-javascript. The vulnerability causes a DoS via CPU exhaustion when serializing a specially crafted array-like object with a very large length, leading to a 100% CPU loop and hang. This is fixed in version 7.0.5; affected deployments should upgra...
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Impact What kind of vulnerability is it? It is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but has a very large length property, the process enters an intensive loop that...
GHSA-QJ8W-GFJ5-8C6V Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Impact What kind of vulnerability is it? It is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but has a very large length property, the process enters an intensive loop that...
PT-2025-37749
Name of the Vulnerable Software and Affected Versions: is-arrayish versions prior to 0.3.4 Description: The is-arrayish package was compromised through a phishing attack on an npm publishing account. Version 0.3.3 was published with a malware payload designed to redirect cryptocurrency transactio...
Protection Mechanism Failure
Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Protection Mechanism Failure in a sandbox, an attacker can access attributes of Array-like objects due to improper validation by the security policy. Note: This change...
UBUNTU-CVE-2024-51755
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the isset method is now called after the security check. This is a BC break. This issue has...
GHSA-JJXQ-FF2G-95VH Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled
Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the isset method is now called after the security check. This is a BC break. Resolution The sandbox mode now ensures...
CVE-2024-51755 Unguarded calls to __isset() and to array-accesses when the sandbox is enabled in Twig
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the isset method is now called after the security check. This is a BC break. This issue has...
CVE-2024-51755 Unguarded calls to __isset() and to array-accesses when the sandbox is enabled in Twig
Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the isset method is now called after the security check. This is a BC break. This issue has...
PT-2024-34886 · Twig +1 · Twig +1
Name of the Vulnerable Software and Affected Versions: Twig versions prior to 3.11.2 Twig versions prior to 3.14.1 Description: In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and t...
Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)
...
Command injection via array-ish $command parameter of proc_open()
...
GHSA-F6MQ-6FX5-W2CH Jenkins Script Security Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b0b0aa451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary...
Cross-Site Scripting (XSS)
striptags is vulnerable to cross-site scripting XSS. A type-confusion vulnerability occurs when concatenating unsanitized strings when an array-like object is passed in as the html parameter. An attacker who is able to control the shape of their input can abuse this behavior to inject and execute...
CVE-2021-32696
The npm package "striptags" is an implementation of PHP's striptags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attack...