Lucene search
K

39 matches found

OSV
OSV
added last week5 views

PYSEC-2026-1559 LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing

The JSONReader in run-llama/llamaindex versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service DoS by submitting deeply nested JSON structures, leading to a RecursionError and crashing...

6.5CVSS7.2AI score0.00338EPSS
Exploits1References6
NVD
NVD
added 2026/07/01 12:16 a.m.7 views

CVE-2026-54592

Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in...

7.5CVSS0.00263EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/30 10:29 p.m.8 views

CVE-2026-50193

A flaw was found in jackson-databind, a general-purpose data-binding library for Jackson Data Processor. A remote attacker can exploit this vulnerability by sending deeply nested JSON JavaScript Object Notation data to a service that reads and processes it. This can lead to a Denial of Service Do...

7.5CVSS5.7AI score0.00616EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/06/23 9:21 p.m.8 views

jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

Impact Potential Denial-of-Service when attacker sends deeply nested JSON if and only if service: 1. Reads deeply nested 1000s of levels JSON as JsonNode ObjectMapper.readTree 2. Writes out same or modifided node using JsonNode.toString which can consume significant amount of resources with...

7.5CVSS5.8AI score0.00616EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/06/23 9:21 p.m.8 views

GHSA-3WRR-7QPF-2PRH jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

Impact Potential Denial-of-Service when attacker sends deeply nested JSON if and only if service: 1. Reads deeply nested 1000s of levels JSON as JsonNode ObjectMapper.readTree 2. Writes out same or modifided node using JsonNode.toString which can consume significant amount of resources with...

6.3CVSS5.8AI score0.00616EPSS
Exploits1References4
NVD
NVD
added 2026/06/23 9:17 p.m.17 views

CVE-2026-50193

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

7.5CVSS0.00616EPSS
Exploits1References3
OSV
OSV
added 2026/06/23 9:17 p.m.3 views

DEBIAN-CVE-2026-50193

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

7.5CVSS5.8AI score0.00616EPSS
Exploits1References1
OSV
OSV
added 2026/06/23 9:17 p.m.4 views

UBUNTU-CVE-2026-50193

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

7.5CVSS5.8AI score0.00616EPSS
Exploits1References5
Debian CVE
Debian CVE
added 2026/06/23 9:0 p.m.6 views

CVE-2026-50193

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

7.5CVSS5.8AI score0.00616EPSS
Exploits1
Cvelist
Cvelist
added 2026/06/23 9:0 p.m.34 views

CVE-2026-50193 jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

6.3CVSS0.00616EPSS
Exploits1References3
CVE
CVE
added 2026/06/23 9:0 p.m.28 views

CVE-2026-50193

jackson-databind contains a DoS in JSON tree handling: if a service reads deeply nested JSON (1000s of levels) via ObjectMapper.readTree() and then writes that JsonNode with toString(), it can consume significant resources. Affected are 2.13.0–2.14.0; fixed in 2.14.0. Mitigation: upgrade to 2.14....

7.5CVSS5.9AI score0.00616EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.17 views

PT-2026-51594

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.13.0 through 2.13.x Description A potential Denial-of-Service exists when a service reads deeply nested JSON thousands of levels as a JsonNode using the readTree function of ObjectMapper and subsequently writes that...

7.5CVSS5.9AI score0.00616EPSS
Exploits1References12
OSV
OSV
added 2026/06/19 7:36 p.m.6 views

GHSA-3M6Q-JJ5J-38C9 Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input

Summary Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. Details Two-step chain in ext/oj/fast.c: 1. doceachchild line 1501 increments doc-where pas...

7.5CVSS6AI score0.00263EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/09 4:5 p.m.39 views

CVE-2026-49847 FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes...

7.5CVSS0.00414EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/01 7:49 a.m.16 views

CVE-2026-42358

A bug in Apache Airflow's Variable response masker caused nested-key redaction triggered by secret-suffixed key names like password, token, secret, apikey to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nest...

3.7CVSS5.8AI score0.00421EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/13 5:22 p.m.11 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the Root.fromJSON or Namespace.addJSON functions. An attacker can cause resource exhaustion and disrupt service availability by submitting a crafted JSON descriptor with deeply nested namespace definitions...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References2
OSV
OSV
added 2026/05/11 5:16 p.m.2 views

CVE-2026-40612 jq: Stack overflow via unbounded recursion in jv_contains

jq is a command-line JSON processor. In 1.8.1 and earlier, jvcontains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure built programmatically with reduce, since the JSON parser caps at depth 10000, the C stack is exhausted...

6.8CVSS5.9AI score0.00161EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.17 views

PT-2026-39709

Name of the Vulnerable Software and Affected Versions jq versions prior to 1.8.2 Description The jv contains function recurses into nested arrays and objects without a depth limit. When processing a sufficiently nested input structure, this can lead to C stack exhaustion, causing the application ...

7.3CVSS5.8AI score0.00161EPSS
Exploits5References55
Vulnrichment
Vulnrichment
added 2026/05/07 9:18 p.m.9 views

CVE-2026-7541 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

8.9CVSS5.8AI score0.00388EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/07 9:18 p.m.45 views

CVE-2026-7541 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

8.9CVSS0.00388EPSS
Exploits0References5
Rows per page
Query Builder