aaPanel 安全漏洞

aaPanel is a simple yet powerful web-based control panel developed under the open source license. Version 7.57.0 of aaPanel contains a security vulnerability, which stems from a regular expression denial-of-service issue in the VirtualHost configuration processing/parser component...

CVE-2026-29856

An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service ReDoS via a crafted input...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a denial of service hole that can be exploited by attackers to cause regular expression injection and denial of service...

CVE-2026-29856

An issue in the VirtualHost configuration handling/parser component of aaPanel v7.57.0 allows attackers to cause a Regular Expression Denial of Service ReDoS via a crafted input...

Parse Server LiveQuery subscription with invalid regular expression crashes server

Impact A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. Patches...

CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

CVE-2026-4148

A use-after-free vulnerability (CVE-2026-4148) affects MongoDB in sharded clusters, triggered by an authenticated user with read role issuing a specially crafted $lookup or $graphLookup aggregation. The linked OSV entry cites the failure in ExpressionContext within the classic engine as the root ...

CVE-2026-4148 ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline...

CVE-2026-4148 ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline...

PT-2026-25939

Name of the Vulnerable Software and Affected Versions Spring AI versions prior to 1.0.4 and 1.1.3 Description A JSONPath injection issue exists in Spring AI’s AbstractFilterExpressionConverter. Authenticated users can bypass metadata-based access controls by using crafted filter expressions...

PT-2026-25907

Name of the Vulnerable Software and Affected Versions MongoDB Server affected versions not specified Description A use-after-free issue can occur in sharded clusters when a user with read access submits a specifically designed aggregation pipeline using either the $lookup or $graphLookup operator...

simpleeval 安全漏洞

SimpleEval is a Python expression security evaluation library developed by Daniel. Versions of SimpleEval prior to 1.0.5 contained security vulnerabilities. These vulnerabilities stemmed from the possibility of objects directly accessing dangerous modules within the sandbox through attributes. If...

MAL-2026-1570 Malicious code in transform-member-expression-literals (npm)

The package 'transform-member-expression-literals' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2...

Malicious code in transform-member-expression-literals (npm)

The package 'transform-member-expression-literals' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2...

Permissive Regular Expression

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Permissive Regular Expression via the matchesExecAllowlistPattern function. An attacker can bypass intended command or executable path restrictions by crafting paths that exploit overly...

SUSE CVE-2026-28356

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...

CVE-2026-32249 NFA regex engine NULL pointer dereference affects Vim < 9.2.0137

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range e.g. 0-0\u05bb, incorrectly emits the composing bytes of that character as separate NFA...

EUVD-2026-11607

multipart vulnerable to ReDoS in parseoptionsheader...

Regular Expression Denial of Service (ReDoS)

Overview multipart is a Parser for multipart/form-data Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the parseoptionsheader function due to the use of a regular expression with ambiguous alternation. An attacker can cause significant resource...

UBUNTU-CVE-2026-28356

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipar...