Lucene search
K

52568 matches found

CNNVD
CNNVD
added 2026/05/28 12:0 a.m.10 views

json-2-csv 安全漏洞

json-2-csv is a JSON-to-CSV conversion tool developed by Michael Rodrigues. Versions of json-2-csv from 3.15.0 to 5.5.11 had security vulnerabilities. These vulnerabilities stemmed from the possibility of bypassing the preventCsvInjection option, allowing attackers to inject formulas into the CSV...

7CVSS5.8AI score0.00166EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.15 views

PT-2026-44192

Name of the Vulnerable Software and Affected Versions json-2-csv versions 3.15.0 through 5.5.10 Description CSV Injection occurs when the preventCsvInjection option is bypassed, allowing an attacker to inject formulas into CSV files. These formulas execute automatically when the files are opened ...

7CVSS5.9AI score0.00166EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/05/28 12:0 a.m.9 views

RockyLinux 9 : mariadb:11.8 (RLSA-2026:19182)

The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:19182 advisory. MariaDB: MariaDB: Remote Code Execution or Denial of Service via JSONSCHEMAVALID function vulnerability CVE-2026-32710 Tenable has extracted the preceding...

9.9CVSS5.9AI score0.00856EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/05/28 12:0 a.m.22 views

RockyLinux 9 : jq (RLSA-2026:19365)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19365 advisory. jq: out-of-bounds read in jvparsesized on error formatting for non-NUL-terminated buffers CVE-2026-39979 jq: jq: Denial of Service via crafted JSON obje...

8.2CVSS5.8AI score0.00559EPSS
Exploits1References5
CVE
CVE
added 2026/05/28 12:0 a.m.30 views

CVE-2026-42999

OpenStack Keystone prior to 29.0.2 contains CVE-2026-42999, where the RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary (policy_dict.update(json_input.copy())). Since flask.request.get_json is called with force=True, this ...

8.8CVSS6AI score0.00329EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/05/28 12:0 a.m.27 views

CVE-2026-42999

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforcecall unconditionally merges the raw JSON request body into the policy enforcement dictionary via policydict.updatejsoninput.copy, overwriting trusted target data that was previously set from...

6CVSS0.00329EPSS
Exploits1References2
FreeBSD
FreeBSD
added 2026/05/28 12:0 a.m.11 views

mail/mailpit -- memory-exhaustion DoS via unbounded JSON body

Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/id/release...

5.8AI score
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/28 12:0 a.m.10 views

RockyLinux 9 : buildah (RLSA-2026:19186)

The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:19186 advisory. github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption JWE object CVE-2026-34986 Tenable has...

7.5CVSS5.8AI score0.00651EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/05/27 10:13 p.m.15 views

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

7.5CVSS6.6AI score0.00269EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/05/27 9:32 p.m.36 views

CVE-2026-45322 OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.runshell passes a command string...

7.8CVSS0.01722EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 9:2 p.m.31 views

CVE-2026-44720 OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4...

6.9CVSS0.00207EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/27 9:2 p.m.7 views

CVE-2026-44720 OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4...

6.9CVSS5.8AI score0.00207EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 8:42 p.m.7 views

CVE-2026-44660

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operatio...

8.7CVSS5.8AI score0.00421EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.8 views

CVE-2026-41164

nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...

4.4CVSS5.8AI score0.00076EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.10 views

CVE-2026-47202

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS5.7AI score0.00171EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/27 7:33 p.m.10 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the DAG-CBOR and DAG-JSON decoders. An attacker can cause a fatal stack overflow by submitting payloads with deeply nested collections. Remediation Upgrade github.com/ipld/go-ipld-prime/codec/dagjson to...

6.9CVSS5.9AI score0.0012EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 7:33 p.m.8 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the DAG-CBOR and DAG-JSON decoders. An attacker can cause a fatal stack overflow by submitting payloads with deeply nested collections. Remediation Upgrade github.com/ipld/go-ipld-prime/codec/dagcbor to...

6.9CVSS5.9AI score0.0012EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 7:32 p.m.5 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS via the apiHandler and webHandlerTelegramBot processes. An attacker can cause the application to exhaust system memory and crash by sending an extremely large or endless JSON payload over a single TCP connection...

8.7CVSS5.8AI score0.00441EPSS
Exploits0References2
NVD
NVD
added 2026/05/27 7:16 p.m.14 views

CVE-2026-44635

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled input flows into eb.refcol, '-$'.keyinput or .atinput — including type-safe code where the JSON column ...

7.5CVSS0.00362EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/27 6:21 p.m.11 views

EUVD-2026-32623

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled input flows into eb.refcol, '-$'.keyinput or .atinput — including type-safe code where the JSON column ...

7.5CVSS5.9AI score0.00362EPSS
Exploits0References1
Rows per page
Query Builder