Lucene search
K

687 matches found

NVD
NVD
added 2026/02/20 9:19 p.m.12 views

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS0.00445EPSS
Exploits1References11
OSV
OSV
added 2026/02/20 9:19 p.m.5 views

DEBIAN-CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS7.3AI score0.00445EPSS
Exploits1References1
OSV
OSV
added 2026/02/20 9:19 p.m.4 views

UBUNTU-CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS5.9AI score0.00445EPSS
Exploits1References6
UbuntuCve
UbuntuCve
added 2026/02/20 9:19 p.m.6 views

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS5.8AI score0.00445EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/02/20 8:57 p.m.6 views

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS6AI score0.00445EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/02/20 8:57 p.m.26 views

CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS0.00445EPSS
Exploits1References4
OSV
OSV
added 2026/02/20 8:57 p.m.5 views

CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS5.7AI score0.00445EPSS
Exploits1References13
CVE
CVE
added 2026/02/20 8:57 p.m.81 views

CVE-2026-25896

CVE-2026-25896 affects the Node.js XML parser fast-xml-parser. From 4.1.3 up to (but not including) 5.3.5, a dot in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing shadowing of built-in entities and bypassing encoding, which can lead to XSS when parsed out...

9.3CVSS5.7AI score0.00445EPSS
Exploits1References11Affected Software1
Debian CVE
Debian CVE
added 2026/02/20 8:57 p.m.7 views

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

9.3CVSS7.3AI score0.00445EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/02/20 6:23 p.m.36 views

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities , , &, ", ' with arbitrary values. This bypasses entity encoding and leads to...

9.3CVSS7.1AI score0.00445EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.5 views

PT-2026-21298

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.1.3 through 5.3.5 Description fast-xml-parser has a flaw in how it handles DOCTYPE entity names during XML parsing. Specifically, a dot . within an entity name is treated as a regex wildcard during entity replacement...

9.3CVSS5.6AI score0.00445EPSS
Exploits1References157
RedhatCVE
RedhatCVE
added 2026/02/16 7:30 p.m.7 views

CVE-2026-26367

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user UGUSER to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce...

8.1CVSS5.8AI score0.00373EPSS
Exploits2References1
NVD
NVD
added 2026/02/15 4:15 p.m.6 views

CVE-2026-26367

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user UGUSER to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce...

8.1CVSS0.00373EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2026/02/15 3:29 p.m.4 views

CVE-2026-26367

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user UGUSER to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce...

7.1CVSS5.8AI score0.00373EPSS
Exploits2References3
EUVD
EUVD
added 2026/02/15 3:29 p.m.5 views

EUVD-2026-6143

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user UGUSER to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce...

7.1CVSS5.8AI score0.00373EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2026/02/15 12:0 a.m.10 views

PT-2026-8251

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user UG USER to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce...

7.1CVSS5.8AI score0.00373EPSS
Exploits2References3
NVD
NVD
added 2026/02/03 6:16 p.m.10 views

CVE-2026-24673

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the...

5.3CVSS0.00241EPSS
Exploits1References1
Spring Security Advisories
Spring Security Advisories
added 2026/01/28 12:0 a.m.9 views

Anthropic Agent Skills Support in Spring AI

In this blog, we show how using Spring AI, we can integrate with Anthropic's Native Skills API for Cloud-Based Document Generation and Custom Skills. Spring AI adds support for Anthropic's Agent Skills — modular capabilities that let Claude generate actual files rather than text descriptions. Wit...

6AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/01/27 9:23 p.m.12 views

CVE-2026-24429

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated acce...

9.8CVSS5.9AI score0.00371EPSS
Exploits0References1
OSV
OSV
added 2026/01/26 6:16 p.m.5 views

CVE-2026-24429

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated acce...

9.8CVSS5.8AI score0.00371EPSS
Exploits0References2
Rows per page
Query Builder