RockyLinux 9 : ruby:4.0 (RLSA-2026:20596)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:20596 advisory. ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection CVE-2026-33210 erb: ERB: Arbitrary code execution via...

ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection

A flaw was found in Ruby JSON. This vulnerability, a format string injection, allows a remote attacker to cause a denial of service DoS or disclose sensitive information. The flaw occurs when processing specially crafted user-supplied documents with the allowduplicatekey: false parsing option...

ALSA-2026:20596 Important: ruby:4.0 security update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fixes: ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection CVE-2026-33210 erb: ERB: Arbitrary...

CVE-2026-43892

AntSword (cross-platform website management toolkit) is affected by CVE-2026-43892 due to incomplete noxss() sanitization before version 2.1.16, enabling a 1-click remote code execution through jquery.terminal format code injection. The vulnerability is fixed in version 2.1.16. Impact is describe...

CVE-2026-33911

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter title is reflected back in a JSON response built with jsonencode. Because the response is served with a text/html Content-Type, the browser...

EUVD-2017-9505

Malware in sbrugna...

CVE-2025-8276

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting', Improper Encoding or Escaping of Output, Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' vulnerability in Patika Global Technologies HumanSuite allows...

PT-2025-33079 · Unknown · Quickshare File Server

Name of the Vulnerable Software and Affected Versions: QuickShare File Server version 1.2.1 Description: QuickShare File Server version 1.2.1 contains a path traversal vulnerability in its FTP service due to improper sanitation of user-supplied file paths. Authenticated users can exploit this fla...

Lichess: ImageId Format Injection in Image Upload Endpoint

The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the generated ImageId. This could have led to parsing issues in other parts of the application that relied on the...

CVE-2017-18389

cPanel before 68.0.15 allows string format injection in dovecot-xaps-plugin SEC-318...

ALPINE-CVE-2024-29510

Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device...

SUSE CVE-2024-29510

Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device...

cPanel Injection Vulnerability (CNVD-2019-36137)

cPanel is a set of Web-based automated colocation platform from the US-based cPanel. The platform is primarily used to automate the management of websites and servers. An injection vulnerability exists in cPanel. An attacker can exploit this vulnerability to perform string format injection in...

CVE-2016-10773

cPanel before 60.0.25 allows format-string injection in exception-message handling SEC-171...

CVE-2017-18389

cPanel before 68.0.15 allows string format injection in dovecot-xaps-plugin SEC-318...

Format string

cPanel before 68.0.15 allows string format injection in dovecot-xaps-plugin SEC-318...

CVE-2017-18389

CVE-2017-18389 affects cPanel prior to 68.0.15. The issue is a string format injection in the dovecot-xaps-plugin, as described by SEC-318. The vulnerability stems from how the plugin handles format strings, enabling potential injection through malformed input. Exploitation details, impacted vers...

CVE-2017-18389

cPanel before 68.0.15 allows string format injection in dovecot-xaps-plugin SEC-318...

CVE-2002-0412

Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via 1 an HTTP GET request, 2 a user name in HTTP authentication, or 3 a password in HTTP...