CVE-2026-29080

CVE-2026-29080 describes an SQL injection in Rucio’s FilterEngine for Oracle JSON Path via the DID search API. In Oracle deployments using the default json_meta plugin, create_sqla_query() interpolates attacker-controlled key and value directly into sqlalchemy.text() via Python .format(), bypassi...

PT-2026-38081

A SQL injection vulnerability in FilterEngine.create sqla query allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. On Oracle deployments attacker-controlled filter keys and values are interpolated...

AZL-59541 CVE-2025-32051 affecting package libsoup for versions less than 3.4.4-6

A flaw was found in libsoup. The libsoup soupuridecodedatauri function may crash when processing malformed data URI. This flaw allows an attacker to cause a denial of service DoS...

SUSE CVE-2011-2609

Opera before 11.50 does not properly restrict data: URIs, which makes it easier for remote attackers to conduct cross-site scripting XSS attacks via a crafted web site...

Cross-site Scripting (XSS)

Overview loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper neutralization of data URIs, via the image/svg+xml media type. Details...