CVE-2026-35000

ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc and similar file-access primitives. Attackers can exploit th...

PT-2026-29588

ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the SafeXPath3Parser implementation that allows attackers to read arbitrary local files by using unblocked XPath 3.0/3.1 functions such as json-doc and similar file-access primitives. Attackers can exploit th...

CVE-2017-18901

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document...

CVE-2025-66458 Lookyloo has multiple XSS due to unsafe use of f-strings in Markup

Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document...

EUVD-2020-0528

Malware in sbrugna...

EUVD-2013-6222

Malware in sbrugna...

EUVD-2017-9991

Malware in sbrugna...

EUVD-2024-2228

Malicious code in bioql PyPI...

EUVD-2023-1658

Malicious code in bioql PyPI...

OESA-2025-1994 cjson security update

cJSON aims to be the dumbest possible parser that you can get your job done with. It's a single file of C, and a single header file. %package devel Summary: Development files for cJSON Requires: = - Requires: pkgconfig %description devel The cjson-devel package contains libraries and header files...

CVE-2023-26819

cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as "a": true, "b": null,9999999999999999999999999999999999999999999999912345678901234567...

CVE-2023-26819

cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as "a": true, "b": null,9999999999999999999999999999999999999999999999912345678901234567...

CVE-2023-26819

CVE-2023-26819 affects the cJSON library (v1.7.15) and can cause a denial of service when parsing crafted JSON like {"a": true, "b": [null, 9999...}] with extremely large numbers. Public advisories (Ubuntu USN-7973-1; Debian DLA-4216) confirm vulnerable package versions and provide fixes in subse...

CVE-2023-26819

cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as "a": true, "b": null,9999999999999999999999999999999999999999999999912345678901234567...

CVE-2020-15092

In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Mos...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

PT-2024-21295 · Xwiki · Xwiki Application Licensing

Name of the Vulnerable Software and Affected Versions: XWiki Application Licensing versions prior to 1.24.2 Description: The XWiki licensor application includes a public document Licenses.Code.LicenseJSON that exposes sensitive information, including the instance's id, first and last name, and...

CVE-2023-26961

Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files e.g., JavaScript content for stored XSS via the type field in a JSON document within a PUT /gallery/api/media request...

Cross site scripting

Alteryx Server 2022.1.1.42590 does not employ file type verification for uploaded files. This vulnerability allows attackers to upload arbitrary files e.g., JavaScript content for stored XSS via the type field in a JSON document within a PUT /gallery/api/media request...