488 matches found
CVE-2026-9563
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memo...
CVE-2026-9563
Eclipse Parsson JSON parser did not enforce a default maximum on parsed characters before 1.1.8, allowing DoS from attacker-controlled JSON via very large documents. The fixed version, Parsson 1.1.8, adds a configurable limit with a default of 15 million parser-consumed characters. Affected: Ecli...
GHSA-3CCM-4QQ2-5WRP Constrata's coordinator transit engine `ciphertextContainer.UnmarshalJSON` panics on attacker-controlled short ciphertexts
Summary ciphertextContainer.UnmarshalJSON decodes the third :-separated component of a vault:vX:base64... ciphertext and then unconditionally takes a 12-byte prefix slice for the AES-GCM nonce: c.nonce = fullCiphertext:aesGCMNonceSize. If the decoded blob is shorter than 12 bytes, the slice...
CVE-2026-54903
Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in bufappendstring buf.h:61 converts the string length to a large negative sizet,...
CVE-2026-53426
Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation. MDEx.parsedocument/2 accepts a :json, json source. In lib/mdex.ex, the private jsontonode/1 function passes the attacker-controlled nodetype value to Module.concat/1, which calls...
Budibase has nonymous NoSQL operator injection via published-app query templates
Summary enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars...
EUVD-2026-37960
PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: headers, combined with Starlette's...
PT-2026-51089
Name of the Vulnerable Software and Affected Versions Oj versions prior to 3.17.2 Description Oj is a JSON parser and Object marshaller for Ruby. The Oj.load function is susceptible to heap corruption when processing a JSON string exceeding 2 GB. An integer overflow occurs within the buf append...
EUVD-2026-36154
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property,...
Alibaba Cloud Linux 3 : 0115: jq (ALINUX3-SA-2026:0115)
The remote Alibaba Cloud Linux 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0115 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-39979: A flaw was found in jq, a...
Atlassian Jira Service Management Data Center and Server 11.2.0 < 11.3.5 (JSDSERVER-16576)
The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16576 advisory. - jackson-core contains core low-level incremental streaming parser and generator abstractions used by...
CLSA-2026-1778661840 skopeo: Fix of CVE-2024-24786
CVE-2024-24786: fix infinite loop in vendored google.golang.org/protobuf protojson.Unmarshal on malformed JSON by handling EOF in skipJSONValue and rejecting ObjectClose after a Name token in Decoder.Read...
Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Exim vulnerabilities (USN-8228-1)
The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8228-1 advisory. It was discovered that Exim incorrectly handled parsing malformed JSON in message headers. A remote attacker could possib...
Security Bulletin: Security vulnerability has been detected in IBM Security Verify Governance Identity Manager Adapters
Summary IBM Security Verify Governance Identity Manager Adapters use jackson-core-2.12.0.jar, which is affected by vulnerability WS-2026-0003 Vulnerability Details ID:WS-2026-0003 DESCRIPTION: The non-blocking async JSON parser in jackson-core bypasses the maxNumberLength constraint default: 1000...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read due to improper bounds checking in the JSON parsing process. An attacker can cause the application to read memory outside the intended buffer by providing specially crafted JSON input. Remediation Upgrade thrift to...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: jq (UTSA-2026-014279)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014279 advisory. jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass...
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : RapidJSON vulnerability (USN-8189-1)
The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8189-1 advisory. It was discovered that RapidJSON did not properly protect against integer overflows in certain instances when...
PT-2026-34238
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fio json parse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning...
CVE-2026-33948
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...
EUVD-2026-22158
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...