511 matches found
CVE-2026-33228
A flaw was found in flatted, a JavaScript Object Notation JSON parser designed for handling circular data structures. A remote attacker can exploit this vulnerability by providing specially crafted JSON input. The parse function in flatted fails to properly validate string values used as array...
EUVD-2026-15976
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exposure of sensitive information via JSON server response manipulation...
CVE-2026-1014
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to exposure of sensitive information via JSON server response manipulation...
CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...
Silicon Labs Simplicity Studio 安全漏洞
Silicon Labs Simplicity Studio is an integrated development environment for embedded system development and debugging provided by Silicon Labs, a company in the United States. There is a security vulnerability in Silicon Labs Simplicity Studio, which stems from the acceptance of user-controllable...
DEBIAN-CVE-2026-33228
flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with th...
CVE-2026-33203 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on...
SUSE CVE-2025-12044
Vault and Vault Enterprise “Vault” are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for +HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393...
Red Hat OpenShift AI 安全漏洞
Red Hat OpenShift AI is an AI lifecycle management platform developed by Red Hat Inc. There is a security vulnerability in Red Hat OpenShift AI, which stems from improper endpoint access control at the /save-document endpoint. This vulnerability could allow unverified remote attackers to write...
PT-2026-26506
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...
ChurchCRM 安全漏洞
ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.0.2 contained security vulnerabilities. These vulnerabilities stemmed from improper cleaning of JSON inputs in the SystemSettings.php file, which could lead to cross-site scripting attacks...
Security update for jq
This update for jq fixes the following issue: CVE-2025-9403: test suite assertion failure in JSON parsing consistency validation bsc1248600. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you ca...
PT-2026-26090
Name of the Vulnerable Software and Affected Versions Kysely versions up to and including 0.28.11 Description Kysely, a type-safe TypeScript SQL query builder, has a SQL injection issue in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function directly appends...
Apache Spark 代码问题漏洞
Apache Spark is a large-scale data processing engine that supports acyclic data streaming and in-memory computing from the Apache Foundation. Apache Spark suffers from a deserialization vulnerability. The vulnerability stems from the Spark History Web UI's overly lax Jackson deserialization of...
BIT-GITLAB-2025-14513 Improper Validation of Specified Quantity in Input in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON...
Agent Privilege Separation in OpenClaw: A Structural Defense against Prompt Injection
Prompt injection remains one of the most practical attack vectors against LLM-integrated applications. We replicate the Microsoft LLMail-Inject benchmark Greshake et al., 2024 against current generation models running inside OpenClaw, an open source multitool agent platform. Our proposed defense...
EUVD-2026-10870
Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type...
Interpretation Conflict
Overview Affected versions of this package are vulnerable to Interpretation Conflict in the JSON-RPC and MCP protocol message parsing. An attacker can bypass intermediary inspection or cause cross-implementation inconsistencies by sending protocol messages with non-standard field casing or Unicod...
CVE-2026-27896 MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc...
CVE-2025-65519
mayswind ezbookkeeping versions 1.2.0 and earlier contain a critical vulnerability in JSON and XML file import processing. The application fails to validate nesting depth during parsing operations, allowing authenticated attackers to trigger denial of service conditions by uploading deeply nested...