net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

CVE-2026-44902

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

PT-2026-41651

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling window.open'javascript:alert';. Mattermost Advisory ID: MMSA-2026-00...

CVE-2022-41215

SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information...

OESA-2024-1121 jruby security update

JRuby is a 100% Java implementation of the Ruby programming language. It is Ruby for the JVM. JRuby provides a complete set of core "builtin" classes and syntax for the Ruby language, as well as most of the Ruby Standard Libraries. Security Fixes: A ReDoS issue was discovered in the Time componen...

PT-2023-22903 · Samsung · Samsung Members

Name of the Vulnerable Software and Affected Versions: Samsung Members versions prior to 14.0.07.1 Description: The issue is related to improper URL validation, which allows attackers to access sensitive information. Recommendations: For versions prior to 14.0.07.1, update to version 14.0.07.1 or...

SUSE CVE-2008-3533

Format string vulnerability in the windowerror function in yelp-window.c in yelp in Gnome after 2.19.90 and before 2.24 allows remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command line, as demonstrated by use of yelp within 1 man or 2 ghelp URI...

rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can...

Rendertron Cross-Site Scripting Vulnerability

Rendertron is Google's open source Chrome rendering solution designed to instantly render web pages. A bug in Rendertron 1.0.0 reports a reflected cross-site scripting vulnerability that can be exploited by an attacker via an invalid URL to conduct a cross-site scripting attack...

Google Chrome URL Forgery Vulnerability

Google Chrome is a web browser developed by the American company Google Google. A URL forgery vulnerability exists in the file ios/web/webstate/ui/crwwebcontroller.mm in versions of Google Chrome prior to 52.0.2743.82 on the iOS platform, which stems from a failure to verify that invalid URLs are...

CVE-2016-1707

ios/web/webstate/ui/crwwebcontroller.mm in Google Chrome before 52.0.2743.82 on iOS does not ensure that an invalid URL is replaced with the about:blank URL, which allows remote attackers to spoof the URL display via a crafted web site...

PT-2014-4129 · Apple · Safari +1

Name of the Vulnerable Software and Affected Versions: Safari in Apple iOS versions prior to 7.1.2 Description: The issue is related to a use-after-free vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service, resulting in an application crash. This can b...