235 matches found
Improper Encoding or Escaping of Output
Overview shescape is a simple shell escape library Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the escape function. An attacker can cause unintended expansion of shell arguments by supplying input containing square brackets, which may result in...
GHSA-9JFH-9XRQ-4VWM Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Summary Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret12 to expand into multiple filesystem matches instead of a single...
Lab-Reflected-XSS-into-attribute-with-angle-brackets-HTML-encoded
Reflected XSS - Attribute Injection A simple demonstration of...
MiracleLinux 8 : python39:3.9 (AXSA:2025-11636:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-11636:01 advisory. python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used CVE-2024-5642 python: Virtual environment venv activation scripts...
MiracleLinux 9 : python3.11-3.11.11-2.el9 (AXSA:2025-10375:03)
The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10375:03 advisory. python: cpython: URL parser allowed square brackets in domain names CVE-2025-0938 Tenable has extracted the preceding description block directly from the...
MiracleLinux 9 : python3.12-3.12.9-1.el9 (AXSA:2025-10388:05)
The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10388:05 advisory. python: cpython: URL parser allowed square brackets in domain names CVE-2025-0938 Tenable has extracted the preceding description block directly from the...
Siemens Ruggedcom ROX Improper Input Validation (CVE-2025-0938)
The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in...
CLSA-2026-1767800687 python2: Fix of CVE-2025-0938
CVE-2025-0938: disallow square brackets in domain names for parsed URLs to prevent differential URL parsing...
CLSA-2026-1767800092 python2: Fix of CVE-2025-0938
CVE-2025-0938: disallow square brackets in domain names for parsed URLs to prevent differential URL parsing...
CLSA-2026-1767629333 python2: Fix of CVE-2025-0938
CVE-2025-0938: disallow square brackets in domain names for parsed URLs to prevent differential URL parsing...
python: cpython: URL parser allowed square brackets in domain names
A flaw was found in Python. The Python standard library functions urllib.parse.urlsplit and urlparse accept domain names that included square brackets, which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs...
RockyLinux 8 : python39:3.9 (RLSA-2025:23530)
The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2025:23530 advisory. python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used CVE-2024-5642 python: Virtual environment venv activation scripts don'...
Important: python39:3.9 security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
OESA-2025-2828 golang security update
. Security Fixes: The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses...
OESA-2025-2826 golang security update
. Security Fixes: The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses...
Important: cri-tools
Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...
Important: cni-plugins
Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...
Important: cni-plugins
Issue Overview: net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed withi...
Amazon Linux 2 : oci-add-hooks, --advisory ALAS2ECS-2025-080 (ALASECS-2025-080)
The version of oci-add-hooks installed on the remote host is prior to 0-0.5.20200504git325a340. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2025-080 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values...
Amazon Linux 2 : containerd, --advisory ALAS2DOCKER-2025-082 (ALASDOCKER-2025-082)
The version of containerd installed on the remote host is prior to 2.1.4-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2025-082 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6...