2423 matches found
CVE-2026-24006
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in...
CVE-2026-24006 Seroval affected by Denial of Service via Deeply Nested Objects
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the dumps function in formatter.rs. An attacker can cause a core dump by supplying a deeply nested JSON document. PoC python import orjson import sys import platform printf'OS: platform.platform' printf'Python...
Seroval security vulnerabilities
Seroval is a formatted Java library developed by Alexis H. Munsayac. Versions of Seroval 1.4.0 and earlier contained security vulnerabilities, which stemmed from the potential to exceed the maximum call stack limit when serializing objects with a high serialization depth...
PT-2026-3907
Name of the Vulnerable Software and Affected Versions Seroval versions 1.4.0 and below Description Seroval allows JavaScript value stringification, including complex structures beyond the capabilities of JSON.stringify. In versions 1.4.0 and below, serializing objects with significant depth can...
AZL-74985 CVE-2025-59466 affecting package nodejs for versions less than 20.14.0-13
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...
AZL-74973 CVE-2025-59466 affecting package nodejs18 18.20.3-11
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...
UBUNTU-CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...
CVE-2025-59466
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...
MiracleLinux 9 : openexr-3.1.1-2.el9.1 (AXSA:2024-9242:02)
The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-9242:02 advisory. OpenEXR: Heap Overflow in Scanline Deep Data Parsing CVE-2023-5841 Tenable has extracted the preceding description block directly from the MiracleLinux...
CVE-2026-23523 Dive allows One-click Remote Code Execution through Deep Links for MCP Install
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the...
CVE-2026-23523
Dive (MCP Host Desktop Application) prior to version 0.13.0 is affected. A crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation, leading to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0...
CVE-2026-23523 Dive allows One-click Remote Code Execution through Deep Links for MCP Install
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the...
CVE-2026-23523 Dive allows One-click Remote Code Execution through Deep Links for MCP Install
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the...
SUSE CVE-2018-3750
The utilities function in all versions = 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all object...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000578)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000578 advisory. The perfcallchainuser64 function in arch/powerpc/perf/callchain.c in the Linux kernel before 4.0.2 on ppc64 platforms allows local users to cause a denial of service...
Dive code injection vulnerability
Dive is a desktop application for MCP hosts, open-sourced by OpenAgentPlatform. Versions of Dive prior to 0.13.0 contained a code injection vulnerability. This vulnerability stemmed from specially crafted deep links that allowed the installation of MCP server configurations controlled by attacker...