Fixed in Apache Tomcat 9.0.117

Moderate: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled CVE-2026-34500 CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used. This was fixed with commit ff589ab2. This issue was reported to the Tomcat security...

Important: ecs-service-connect-agent

Issue Overview: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead o...

Envoy affected by off-by-one write in JsonEscaper::escapeString()

Summary An off-by-one write in Envoy::JsonEscaper::escapeString can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. Details The bug is in the control-character...

PT-2026-24617

Summary An off-by-one write in Envoy::JsonEscaper::escapeString can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. Details The bug is in the control-character...

GHSA-78QV-3MPX-9CQQ NiceGUI vulnerable to XSS via Code Injection during client-side element function execution

Summary Several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input is passed as the method name, an attacker can inject...

NiceGUI vulnerable to XSS via Code Injection during client-side element function execution

Summary Several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input is passed as the method name, an attacker can inject...

EUVD-2022-5005

Malicious code in bioql PyPI...

CVE-2024-45299

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The...

GHSA-9GV2-2M38-J6CX BEdita vulnerable to SQL injection

BEdita through 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters due to a lack of JSON escaping...

BEdita vulnerable to SQL injection

BEdita through 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters due to a lack of JSON escaping...

CVE-2022-30241

The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as in a JSON object, as demonstrated by a SCRIPT element...

Node.js 跨站脚本漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in jquery.json-viewer version 1.4.0 and earlier versions of Node.js, which stems from the inability to correctly escape characters e.g., in a JSON object, as shown in the SCRIPT element...

CVE-2020-25739

An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escapemode parameter to escape fields as an XSS protection mechanism. To mitigate, jsondumper.rb in gon now does escaping for XSS by default without relying on MultiJson...