CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

quic-go HTTP/3 QPACK Header Expansion DoS

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header names and/or large values. The implementation builds an http.Header used on th...

GHSA-G754-HX8W-X2G6 quic-go HTTP/3 QPACK Header Expansion DoS

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header names and/or large values. The implementation builds an http.Header used on th...

quic-go 安全漏洞

quic-go is an implementation of the QUIC protocol, RFC 9000 protocol, in Go by the individual developer Lucas Clemente. A security vulnerability exists in quic-go 0.56.0 and earlier versions, which stems from a failure to enforce restrictions on decoded headers and could lead to memory exhaustion...

CVE-2025-48631

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-48631

CVE-2025-48631 pertains to Android Framework: a vulnerability in LocalImageResolver.java (onHeaderDecoded) can cause remote denial of service via resource exhaustion, with no user interaction required. The issue is being tracked in Android Security Bulletin; mitigation is to apply the relevant pa...

CVE-2025-66261

CVE-2025-66261 describes an unauthenticated OS command injection in DB Electronica Mozart FM Transmitter devices (models 30–7000) via the /var/tdf/restore_settings.php endpoint. The vulnerability occurs because the user-controlled GET parameter name is URL-decoded and passed directly to exec() wi...

curl: libcurl FTP path normalization flaw allows decoded %2e%2e → CWD .. and directory escape (Path Traversal, CWE-22)

ftpparseurlpath in lib/ftp.c URL-decodes FTP path segments e.g. %2e%2e and then splits the decoded path into components using an ad-hoc loop that skips empty components produced by //. The code does not perform canonical path normalization no stack-based handling of . or ... As a result, encoded...

Security update for mozilla-nss

This update for mozilla-nss fixes the following issues: Move NSS DB password hash away from SHA-1. Update to NSS 3.112.2: Prevent leaks during pkcs12 decoding. SECASN1Decode should ensure it has read as many bytes as each length field indicates Update to NSS 3.112.1: restore support for finding...

SUSE-SU-2025:3760-1 Security update for mozilla-nss

This update for mozilla-nss fixes the following issues: - Move NSS DB password hash away from SHA-1. Update to NSS 3.112.2: Prevent leaks during pkcs12 decoding. SECASN1Decode should ensure it has read as many bytes as each length field indicates Update to NSS 3.112.1: restore support for finding...

EUVD-2012-2770

Malware in sbrugna...

EUVD-2017-15883

Malware in sbrugna...

curl: Unsanitized IPFS CID Allows SSRF Against Configured Gateway

Summary: ipfsurlrewrite in src/toolipfs.c decodes the host component CID of ipfs:// / ipns:// URLs using CURLUURLDECODE and then concatenates that decoded value directly into the gateway path aprintf"%s%s/%s%s", ... without normalization or validation. A crafted host value for example...

Linux Distros Unpatched Vulnerability : CVE-2020-7070

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are...

Linux Distros Unpatched Vulnerability : CVE-2024-50349

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to...

SUSE CVE-2025-53633

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario i.e. a zip archive, the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, ...

git: Git does not sanitize URLs when asking for credentials interactively

A flaw was found in Git. This vulnerability occurs when Git requests credentials via a terminal prompt, for example, without the use of a credential helper. During this process, Git displays the host name for which the credentials are needed, but any URL-encoded parts are decoded and displayed...

git: Git does not sanitize URLs when asking for credentials interactively

A flaw was found in Git. This vulnerability occurs when Git requests credentials via a terminal prompt, for example, without the use of a credential helper. During this process, Git displays the host name for which the credentials are needed, but any URL-encoded parts are decoded and displayed...

GHSA-CQM8-RG2P-JFCF Infinispan CLI vulnerable to Generation of Error Message Containing Sensitive Information

A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found...

CVE-2021-21368

msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "proto", it assigns the decoded value to proto. Object.prototype.proto is an access...