CVE-2026-54271

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static outp...

CVE-2026-54269

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names...

CVE-2026-48712

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject conversion and the custom google.protobuf.Any JSON conversio...

CVE-2026-42127

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...

CVE-2026-48712

The CVE-2026-48712 vulnerability affects protobufjs (JavaScript) in the toObject() conversion path and the google.protobuf.Any JSON conversion path. Prior to versions 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit when converting decoded messages to plain objects/JSON, allowing a...

CVE-2026-48712 protobufjs: Denial of service through unbounded Any expansion during JSON conversion

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject conversion and the custom google.protobuf.Any JSON conversio...

CVE-2026-48712

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject conversion and the custom google.protobuf.Any JSON conversio...

CVE-2026-54271 protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static outp...

CVE-2026-54271

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static outp...

CVE-2026-54271

The CVE-2026-54271 entry concerns protobufjs-cli (pbjs) static code generation, where insecure handling of pre-parsed JSON descriptors could lead to attacker-controlled JavaScript in generated output. Concrete details across connected sources show that protobufjs-cli versions prior to the fixed r...

EUVD-2026-38229

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a...

CVE-2026-50589

A flaw was found in OpenStack Ironic. An unauthenticated malicious user could exploit this vulnerability by submitting a specially crafted JSON JavaScript Object Notation string to certain API Application Programming Interface or JSON-RPC Remote Procedure Call service endpoints. This could lead t...

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

A flaw was found in Go JOSE, a library for handling JSON Web Encryption JWE objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the...

Resource Exhaustion

joserfc is vulnerable to Resource Exhaustion. The vulnerability is due to missing payload size validation for RFC7797 b64=false JWS payloads, where oversized payloads bypass the configured maximum payload length check, and attackers can exploit it by submitting large JWS tokens that consume...

PT-2026-51396

Name of the Vulnerable Software and Affected Versions MessagePack for C versions prior to 2.5.301 MessagePack for C versions prior to 3.1.7 Description JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. Specifically, the...

PYSEC-2026-239

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected...

CVE-2026-56265

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected...

CVE-2026-56265 Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected...

CVE-2026-56265

CVE-2026-56265 affects Crawl4AI prior to 0.8.7 due to a hardcoded default JWT signing key in the Docker API server. The root cause is token forgery: an attacker who knows the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protec...

CVE-2026-12795 BerriAI litellm SSO Debug Flow ui_sso.py json.dumps missing authentication

A vulnerability was determined in BerriAI litellm up to 1.82.2. This affects the function json.dumps of the file litellm/proxy/managementendpoints/uisso.py of the component SSO Debug Flow. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploi...