271 matches found
CVE-2026-47160 Vaultwarden: Server-side request forgery (SSRF) via Icon Endpoint Decimal/Hex/Octal IP Bypass
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's /icons/domain/icon.png endpoint used src/httpclient.rs checks including shouldblockaddress and postresolve that missed decimal, hexadecimal, and octal IP representations, allowing SSRF through the...
CVE-2026-47160
Vaultwarden is affected by a server-side request forgery (SSRF) in the /icons/{domain}/icon.png endpoint, where decimal/hexadecimal/octal IP representations bypassed should_block_address() and post_resolve() checks, enabling blind internal network or port discovery. The issue is fixed in version ...
CVE-2026-47160 Vaultwarden: Server-side request forgery (SSRF) via Icon Endpoint Decimal/Hex/Octal IP Bypass
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's /icons/domain/icon.png endpoint used src/httpclient.rs checks including shouldblockaddress and postresolve that missed decimal, hexadecimal, and octal IP representations, allowing SSRF through the...
Linux Distros Unpatched Vulnerability : CVE-2026-39894
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupda...
Malicious code in console-fmt-cli (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. console-fmt-cli uses a side-loader technique: it declares decimal-format-core =3.0 as a dependency, which contains a dropper that executes at install time via a postinstall hook. The dropper fetches a...
CVE-2026-50171
A flaw was found in the @angular/common package of Angular. The formatNumber function, which is also used by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. A remote attacker could exploit this by providing a maliciously crafted...
CVE-2026-39894
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate can corrupt RRDtool metric values. The rrdtoolfunctionupdate function checks metric values with isnumeric and concatenates them into t...
DEBIAN-CVE-2026-39894
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate can corrupt RRDtool metric values. The rrdtoolfunctionupdate function checks metric values with isnumeric and concatenates them into t...
UBUNTU-CVE-2026-39894
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate can corrupt RRDtool metric values. The rrdtoolfunctionupdate function checks metric values with isnumeric and concatenates them into t...
CVE-2026-39894
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate can corrupt RRDtool metric values. The rrdtoolfunctionupdate function checks metric values with isnumeric and concatenates them into t...
CVE-2026-39894 Cacti: RRDtool metric shift via LC_NUMERIC locale comma decimal formatting
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate can corrupt RRDtool metric values. The rrdtoolfunctionupdate function checks metric values with isnumeric and concatenates them into t...
CVE-2026-39894
CVE-2026-39894 affects Cacti (≤ 1.2.30). Locale-dependent decimal formatting in rrdtool_function_update() uses PHP string interpolation for metric values after is_numeric(), so a value like 1.5 may be rendered as 1,5 under LC_NUMERIC with a comma decimal. RRDtool expects a dot, causing metric dat...
CVE-2026-39894 Cacti: RRDtool metric shift via LC_NUMERIC locale comma decimal formatting
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate can corrupt RRDtool metric values. The rrdtoolfunctionupdate function checks metric values with isnumeric and concatenates them into t...
PT-2026-52129
Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31 Description Locale-dependent decimal formatting in the rrdtool function update function can lead to the corruption of RRDtool metric values. The function validates metric values using is numeric and incorporates...
CVE-2026-50171
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service DoS vulnerability exists in the @angular/common package of Angular. The formatNumber functio...
DEBIAN-CVE-2026-50171
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service DoS vulnerability exists in the @angular/common package of Angular. The formatNumber functio...
CVE-2026-50171
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service DoS vulnerability exists in the @angular/common package of Angular. The formatNumber functio...
CVE-2026-50171
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service DoS vulnerability exists in the @angular/common package of Angular. The formatNumber functio...
CVE-2026-50171 Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service DoS vulnerability exists in the @angular/common package of Angular. The formatNumber functio...
CVE-2026-50171
The CVE concerns Angular (vulnerable in @angular/common) where formatNumber used by DecimalPipe, PercentPipe, and CurrencyPipe mishandles digitsInfo bounds. Specifically, parsing digitsInfo with large fraction digits (e.g., 1.200000000-200000000) causes an unbounded loop in roundNumber, leading t...