CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

[SECURITY] Fedora 44 Update: perl-Sereal-Decoder-5.005-1.fc44

This library implements a deserializer for an efficient, compact-output, and feature-rich binary protocol called Sereal...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 Lab — React Server Components RCE !Dockerh...

Netatalk 安全漏洞

Netatalk is an open-source software developed by Netatalk Inc., which provides AFP file server functionality for Classic Mac OS and macOS on Unix-like operating systems. Versions 3.0.0 to 4.4.2 of Netatalk contain security vulnerabilities. These vulnerabilities stem from dead-end checks in the...

Astra Linux - уязвимость в jackson-databind

In FasterXML Jackson-Databind before version 2.13.4, resource exhaustion can occur due to the lack of a check in BeanDeserializer.deserializeFromArray, which prevents the use of deeply nested arrays. An application becomes vulnerable only with certain customized choices for deserialization...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-006304)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006304 advisory. An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xmlserializer.getInnerText...

[SECURITY] Fedora 43 Update: rust-pythonize-0.27.0-1.fc43

Serde Serializer & Deserializer from Rust Python, backed by PyO3...

CVE-2026-28794

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...

CVE-2026-28794

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...

CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...

CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...

CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...

CVE-2026-28794

The CVE concerns oRPC and its @orpc/client package. Prior to v1.13.6, the RPC JSON deserializer in StandardRPCJsonSerializer can perform prototype pollution by injecting properties into Object.prototype via attacker-controlled paths in the data (notably through the maps and meta vectors). This vu...

orpc 安全漏洞

orpc is an open-source RPC and OpenAPI integration framework developed by middleapi. Versions of oRPC prior to 1.13.6 contained security vulnerabilities. These vulnerabilities stemmed from prototype pollution in the RPC JSON deserializer of the @orpc/client package. This could allow unauthenticat...

GHSA-M272-9RP6-32MC `@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization

Summary A critical Prototype Pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the...

`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization

Summary A critical Prototype Pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the...

PT-2026-23000

Name of the Vulnerable Software and Affected Versions orpc versions prior to 1.13.6 @orpc/client versions prior to 1.13.6 Description A critical prototype pollution issue exists in the RPC JSON deserializer of the @orpc/client package. This allows unauthenticated, remote attackers to inject...

OESA-2026-1342 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xmlserializer.getInnerText allows a remote...

CVE-2026-25632

EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer myloadfromjson that supports a type field...

CVE-2026-25632

EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer myloadfromjson that supports a type field...