Prototype Pollution

Overview icu-minify is an ICU message format compiler with a 1KB runtime bundle footprint Affected versions of this package are vulnerable to Prototype Pollution in the setNestedProperty function when processing translation catalog keys containing reserved properties such as proto, constructor, o...

@0xchain/empty (>=0.0.1 <=1.1.0-beta.4), @0xchain/expandable-text (>=0.0.1 <=1.1.0-beta.18) +107 more potentially affected by unknown CVE via icu-minify (=4.11.1)

icu-minify NPM version =4.11.1 is affected by a known vulnerability. The following packages have a transitive dependency on icu-minify and may be impacted: - @0xchain/empty =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.1.0, =0.1.1, =2.2.0, =2.5...

@0xchain/empty (>=0.0.1 <=1.1.0-beta.4), @0xchain/expandable-text (>=0.0.1 <=1.1.0-beta.18) +107 more potentially affected by unknown CVE via icu-minify (=4.11.1)

icu-minify NPM version =4.11.1 is affected by a known vulnerability. The following packages have a transitive dependency on icu-minify and may be impacted: - @0xchain/empty =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.1.0, =0.1.1, =2.2.0, =2.5...

GHSA-R27J-894H-3W3P mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

Summary icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype e.g. toString, proto, constructor, hasOwnProperty, valueOf, the lookup returns a truth...

mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

Summary icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype e.g. toString, proto, constructor, hasOwnProperty, valueOf, the lookup returns a truth...

Prototype Pollution

Overview icu-minify is an ICU message format compiler with a 1KB runtime bundle footprint Affected versions of this package are vulnerable to Prototype Pollution via the formatSelect function. An attacker can cause the application to crash and trigger a server error by supplying specially crafted...

Astra Linux - уязвимость в thunderbird

To protect ICU from exploitation, the behavior for out-of-memory conditions has been changed to a crash instead of attempting to continue. This vulnerability affects Firefox ESR 115.9 and Thunderbird 115.9...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures e.g. probe deferral...

OPENSUSE-SU-2026:20513-1 Security update for sqlite3

This update for sqlite3 fixes the following issues: Update sqlite3 to version 3.51.3: Security issues: - CVE-2025-7709: Integer Overflow in FTS5 Extension bsc1254670. - CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation bsc1259619. Non security issue:...

SUSE-SU-2026:21095-1 Security update for sqlite3

This update for sqlite3 fixes the following issues: Update sqlite3 to version 3.51.3: Security issues: - CVE-2025-7709: Integer Overflow in FTS5 Extension bsc1254670. - CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation bsc1259619. Non security issue:...

SUSE-SU-2026:21173-1 Security update for sqlite3

This update for sqlite3 fixes the following issues: Update sqlite3 to version 3.51.3: Security issues: - CVE-2025-7709: Integer Overflow in FTS5 Extension bsc1254670. - CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation bsc1259619. Non security issue:...

nodejs22 security update

1:22.22.2-1 - Update to version 22.22.2 - introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135 - disabled failing tests in nghttp2 due to newer version - patch for npm/braces CVE-2026-25547 1:22.22.0-4 - sources: changed ICU version syntax...

CLSA-2026-1774028594 Update of postgresql11

Initial backport of PostgreSQL 11.22 for RHEL 7 - Based on Fedora/RHEL 8 spec files for PostgreSQL 10 and 12 - Adapted for RHEL 7 compatibility: - Disabled ICU support by default not readily available on RHEL 7 - Disabled plpython3 by default may need SCL for Python 3 - Removed perl-generators...

EulerOS Virtualization 2.12.1 : icu (EulerOS-SA-2026-1431)

According to the versions of the icu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A stack buffer overflow was found in Internationl components for unicode ICU . While running the genrb binary, the 'subtag' struct...

EulerOS Virtualization 2.12.0 : icu (EulerOS-SA-2026-1488)

According to the versions of the icu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A stack buffer overflow was found in Internationl components for unicode ICU . While running the genrb binary, the 'subtag' struct...

Huawei EulerOS: Security Advisory for icu (EulerOS-SA-2026-1488)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EUVD-2026-8822

Angular i18n vulnerable to Cross-Site Scripting...

GHSA-PRJF-86W9-MFQV Angular i18n vulnerable to Cross-Site Scripting

A Cross-site Scripting XSS vulnerability has been identified in the Angular internationalization i18n pipeline. In ICU messages International Components for Unicode, HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves thr...

Cross-site Scripting (XSS)

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

DEBIAN-CVE-2026-27970

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization i18n pipeline. In ICU messages...