11 matches found
CVE-2026-48828 Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
The Bulk Variables API in Apache Airflow called the redactor without passing the variable's key, so the key-based shouldhidevalueforkey check which triggers on secret-suffixed key names like password / token / secret could not fire for JSON-decodable variable values. An authenticated UI/API user...
BIT-AIRFLOW-2026-42358 Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets
A bug in Apache Airflow's Variable response masker caused nested-key redaction triggered by secret-suffixed key names like password, token, secret, apikey to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nest...
CVE-2026-6415
The CVE concerns the Advanced Custom Fields: Font Awesome plugin for WordPress. It is vulnerable to a Stored Cross-Site Scripting (Stored XSS) in versions up to and including 5.0.2. The root cause is insufficient input validation of JSON field values and unsafe client-side HTML construction in th...
CVE-2026-41146
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fiojsonparse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at 100% instead of returning a...
mod_security: ModSecurity Denial of Service Vulnerability
A denial of service flaw was found in ModSecurity. This vulnerability is present in the sanitiseArg/sanitizeArg function can be overloaded with a large number of arguments which will lead to excessive memory usage when processing json values. This may lead to a denial of service in the affected w...
CVE-2020-26890
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into th...
CVE-2020-26890
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into th...
Code injection
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into th...
CVE-2020-26890
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into th...
PYSEC-2020-237
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into th...
CVE-2020-26890
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into th...