6256 matches found
Byte XORi Encoder
Byte XOR encoder for RISC-V 64-bit Little Endian. Encodes the payload byte-by-byte with a 1-byte XOR key using the xori instruction. Useful when R-type XOR instruction bytes 0x33 are bad characters. Module Options msf use encoder/riscv64le/bytexori msf encoderbytexori show actions ...actions... m...
Byte XORi Encoder
Byte XOR encoder for RISC-V 32-bit Little Endian. Encodes the payload byte-by-byte with a 1-byte XOR key using the xori instruction. Useful when R-type XOR instruction bytes 0x33 are bad characters. Module Options msf use encoder/riscv32le/bytexori msf encoderbytexori show actions ...actions... m...
CVE-2026-57167 PeerTube: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence...
EUVD-2026-34067
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user...
CVE-2026-53878
A flaw was found in Django. django.core.validators.DomainNameValidator accepted newline characters in domain name input. When applications use this validator outside Django form fields and include the validated value in HTTP response headers, a remote attacker could perform HTTP header injection...
CVE-2026-59875
A flaw was found in node-tar, a library for manipulating tar archives in Node.js. A remote attacker could craft a malicious archive containing null characters NUL bytes in its metadata. When this archive is processed, the unstripped null characters can cause the application to terminate...
CVE-2026-50188 Kirby: Request header injection in `Http\Remote`
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request, Remote::get, and Remote::post, to send outgoing HTTP requests with untrusted data in the headers option could allow newline characters...
CVE-2026-58213
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupti...
PT-2026-56561
Name of the Vulnerable Software and Affected Versions NATS Server versions prior to 2.14.1 NATS Server versions prior to 2.12.9 Description An MQTT client can include protocol control characters in subscription filters. These characters are subsequently forwarded as NATS protocol data to route or...
CVE-2026-55427
Coder exposes SSH config injection risk via the config-ssh command: before 2.34.2, 2.33.8, 2.32.7, and 2.29.17, server-supplied values for HostnameSuffix and SSHConfigOptions could be written into ~/.ssh/config without rejecting newlines or restricting directives. This could enable a malicious or...
jastow: Jastow Cross-Site Scripting attack due to unsanitized URI
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling...
jastow: Jastow Cross-Site Scripting attack due to unsanitized URI
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling...
jastow: Jastow Cross-Site Scripting attack due to unsanitized URI
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling...
CVE-2025-12799
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling...
Improper Neutralization
Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Improper Neutralization via the DomainNameValidator process. An attacker can inject arbitrary HTTP headers by submitting input...
CVE-2025-12799
A flaw was found in Jastow. Jastow is vulnerable to Cross-Site Scripting XSS attack. If using a set of combined configuration to allow unescaped characters in URL with embedded Undertow and Jastow, a server might be vulnerable to improper input handling. Mitigation It is possible to contruct...
PT-2026-56203
Name of the Vulnerable Software and Affected Versions Jastow affected versions not specified Description Jastow is susceptible to Cross-Site Scripting XSS, a flaw where malicious scripts are injected into trusted websites. This occurs due to improper input handling of unsanitized URIs when a...
CVE-2026-59711
CVE-2026-59711 affects the showdown library. A cross-site scripting vulnerability exists in metadata title handling when the completeHTMLDocument option is enabled; unescaped characters in markdown frontmatter metadata are placed into HTML title tags, allowing script execution in the rendered pa...
CVE-2026-59711
showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...
CVE-2026-9563
Eclipse Parsson JSON parser did not enforce a default maximum on parsed characters before 1.1.8, allowing DoS from attacker-controlled JSON via very large documents. The fixed version, Parsson 1.1.8, adds a configurable limit with a default of 15 million parser-consumed characters. Affected: Ecli...