urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion

A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...

pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID

A flaw was found in pyasn1, a generic ASN.1 library for Python. A remote attacker could exploit this vulnerability by sending a specially crafted RELATIVE-OID with excessive continuation octets. This input validation vulnerability leads to memory exhaustion, resulting in a Denial of Service DoS f...

CVE-2026-54911 UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different...

CVE-2026-54911

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different...

CVE-2026-54911 UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different...

EUVD-2026-38362

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different...

CVE-2026-54911

CVE-2026-54911 (UltraJSON) : The vulnerability affects UltraJSON (C core with Python bindings) where ujson.dumps()/dump()/encode() with reject_bytes=False may accept malformed or truncated UTF-8, silently rewriting to other Unicode characters instead of rejecting. This enables input validation by...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the YAML processing. An attacker can execute arbitrary code by supplying crafted YAML input that triggers unsafe class loading during operations such as CloudFormation deployments or CloudFoundry...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the YAML processing. An attacker can execute arbitrary code by supplying crafted YAML input that triggers unsafe class loading during operations such as CloudFormation deployments or CloudFoundry...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the YAML processing. An attacker can execute arbitrary code by supplying crafted YAML input that triggers unsafe class loading during operations such as CloudFormation deployments or CloudFoundry...

Deserialization of Untrusted Data

Overview io.spinnaker.orca:orca-clouddriver is a Spinnaker Orca Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the YAML processing. An attacker can execute arbitrary code by supplying crafted YAML input that triggers unsafe class loading during operations...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the inconsistent output encoding of user-supplied parameters in HTML responses through the FSUtils.postToTarget function. An attacker can execute arbitrary scripts in the context of the user's browser by...

GHSA-7CFQ-5MHV-JRP9 Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected)

Summary A malicious container can crash or destabilize the privileged Inspektor Gadget process when a gadget using USDT probes is deployed. The vulnerability is in the USDT note parser pkg/uprobetracer/usdt.go which is invoked when a gadget with a SEC"usdt/..." section attaches to a target binary...

Inspektor Gadget: Unprivileged container can crash USDT note parser via crafted ELF (no shipped gadget affected)

Summary A malicious container can crash or destabilize the privileged Inspektor Gadget process when a gadget using USDT probes is deployed. The vulnerability is in the USDT note parser pkg/uprobetracer/usdt.go which is invoked when a gadget with a SEC"usdt/..." section attaches to a target binary...

CVE-2026-41479

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported responsetype and supplies an attacker-controlled redirecturi. The...

EUVD-2026-38360

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported responsetype and supplies an attacker-controlled redirecturi. The...

CVE-2026-41479 Authlib OAuth 2.0 authorization endpoint open redirects to attacker-controlled redirect_uri on unsupported response_type

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported responsetype and supplies an attacker-controlled redirecturi. The...

CVE-2026-41479 Authlib OAuth 2.0 authorization endpoint open redirects to attacker-controlled redirect_uri on unsupported response_type

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported responsetype and supplies an attacker-controlled redirecturi. The...