CVE-2026-30624

Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the application when the...

DEBIAN-CVE-2026-33948

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

CVE-2026-33948

CVE-2026-33948 affects jq, a command-line JSON processor. Before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b, input parsing uses strlen() on data read from files or stdin, causing truncation at the first NUL byte and validating only the prefix as JSON. This enables an attacker to craft input ...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained a security vulnerability. This vulnerability stemmed from the parsing of JSON request bodies before verifying the webhook signature, which could lead to...

fast-jwt 安全漏洞

fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt prior to 6.2.1 contained a security vulnerability. This vulnerability stemmed from the use of regular expression objects with state modifiers in certain options of the verify function, which could cause 50%...

CVE-2026-40028 Hayabusa < 3.8.0 XSS via JSON Log Import

Hayabusa versions prior to 3.8.0 contain a cross-site scripting XSS vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the...

PT-2026-30828

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the...

PT-2026-30011

Name of the Vulnerable Software and Affected Versions Go JOSE versions prior to 4.1.4 and versions prior to 3.0.5 Description Go JOSE, an implementation of the Javascript Object Signing and Encryption standards in Go, is susceptible to a denial of service. When decrypting a JSON Web Encryption JW...

CVE-2026-35168 OpenSTAManager: SQL Injection via Aggiornamenti Module

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti Updates module in OpenSTAManager contains a database conflict resolution feature op=risolvi-conflitti-database that accepts a JSON array of SQL statements via PO...

Fixed in Apache Tomcat 10.1.54

Moderate: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled CVE-2026-34500 CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used. This was fixed with commit 29b56a56. This issue was reported to the Tomcat security...

CVE-2026-34554

CVE-2026-34554 affects the iccDEV libraries/tools for ICC color management. Before version 2.3.1.6, a heap-buffer-overflow in CIccApplyCmmSearch::costFunc() can be triggered by malformed JSON input to the iccApplySearch tool. AddressSanitizer reports an out-of-bounds read of size 8 originating fr...

axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig

A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via...

EUVD-2026-17498

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

iccDEV 缓冲区错误漏洞

iccDEV is an open-source color configuration code library developed by the International Color Consortium. Versions of iccDEV prior to 2.3.1.6 contained a buffer error vulnerability; this vulnerability was caused by JSON configuration inputs that could lead to a heap buffer overflow...

IBM InfoSphere Information Server Encryption Issues Vulnerability

IBM InfoSphere Information Server is IBM's enterprise-class data integration platform for data quality management and information integration. A security vulnerability exists in IBM InfoSphere Information Server that stems from the manipulability of JSON server responses. An attacker can exploit...

PT-2026-29049

Name of the Vulnerable Software and Affected Versions CrewAI affected versions not specified Description The software contains a flaw where the JSON loader tool reads files without proper path validation. This allows unauthorized access to files on the server. The issue involves an arbitrary loca...

Fedora 44 : rubygem-json (2026-3a7663d43d)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3a7663d43d advisory. New version 2.19.2 is released. This fixes a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210 Tenable has extract...

[SECURITY] Fedora 43 Update: rubygem-json-2.13.2-2.fc43

This is a implementation of the JSON specification according to RFC 4627 in Ruby. You can think of it as a low fat alternative to XML, if you want to store data to disk or transmit it over a network rather than use a verbose markup language...

CVE-2026-1014

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exposure of sensitive information via JSON server response manipulation...

EUVD-2026-16345

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack...