945 matches found
SUSE-SU-2026:1371-1 Security update for nodejs20
This update for nodejs20 fixes the following issues: Update to version 20.20.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. - CVE-2026-21716: incomplete fix for...
Security update for nodejs20
This update for nodejs20 fixes the following issues: Update to version 20.20.2. CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. CVE-2026-21716: incomplete fix for CVE-2024-36137...
CVE-2026-40164
A flaw was found in jq, a command-line JSON processor. A remote attacker could exploit this vulnerability by providing a specially crafted JSON object. This object leverages a weakness in jq's hashing algorithm, which uses a hardcoded, publicly known seed. By crafting the JSON object to cause has...
CVE-2026-40164 jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed 0x432A9843 for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSO...
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed 0x432A9843 for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSO...
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed 0x432A9843 for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSO...
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed 0x432A9843 for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSO...
Security update for nodejs24
This update for nodejs24 fixes the following issues: Update to 24.14.1 CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service bsc1256576. CVE-2026-21710: uncaught TypeError exception can cause a denial ...
SUSE-SU-2026:21181-1 Security update for nodejs24
This update for nodejs24 fixes the following issues: Update to version 24.14.1. Security issues fixed: - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. - CVE-2026-21716:...
nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by...
nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by...
PT-2026-32565
Name of the Vulnerable Software and Affected Versions jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 Description The software used MurmurHash3 with a hardcoded, publicly visible seed 0x432A9843 for all JSON object hash table operations. This allows an attacker to precompute...
nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions
A flaw was found in V8's string hashing mechanism within Node.js. A remote attacker can exploit this vulnerability by crafting requests containing integer-like strings. These specially crafted strings cause predictable hash collisions in V8's internal string table, particularly when processed by...
PT-2026-31760
OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...
Expected Behavior Violation
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Expected Behavior Violation due to insufficient scoping of replay deduplication keys in webhook event processing. An attacker can cause legitimate messages from different conversations o...
CVE-2026-35039
fast-jwt provides fast JSON Web Token JWT implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proce...
CVE-2026-35039
fast-jwt provides fast JSON Web Token JWT implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proce...
CVE-2026-35039
fast-jwt provides fast JSON Web Token JWT implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification proce...
BIT-NODE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...
GHSA-RP9M-7R4C-75QG fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
NOTE: While the library exposes a mechanism which could introduce the vulnerability, this issue is created by developer-supplied code and not by the library itself. We will add a warning and some education for users around the possible issues however since the defaults work we will not be updatin...