CVE-2026-41640

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

CVE-2026-31790

A flaw was found in openssl. Applications that use RSASVE key encapsulation, a method for securely exchanging encryption keys, may inadvertently expose sensitive data. This vulnerability arises when an application processes a malicious, invalid RSA public key provided by an attacker without prope...

Improper Verification of Cryptographic Signature

Overview openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this...

Missing Cryptographic Key Commitment

aws/aws-sdk-php is vulnerable to missing cryptographic key commitment. The vulnerability is due to improper handling of encrypted data keys when stored in instruction files instead of S3 metadata, which allows an attacker with write access to the S3 bucket to introduce a malicious EDK that decryp...

CVE-2026-23736

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON...

EUVD-2025-131919

If an attacker causes kdcproxy to connect to an attacker-controlled KDC server e.g. through server-side request forgery, they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copie...

Malicious Key Exchange Messages may Lead to Excessive Resource Consumption

...

CVE-2025-48040 Malicious Key Exchange Messages may Lead to Excessive Resource Consumption

Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh sshsftp modules allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/sshsftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to...

CVE-2025-55293

Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if p.publickey.size 0 ', clearing the existing publicKey and resetting the size to 0 for a know...

SUSE CVE-2021-32728

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a privat...

Mozilla: Matrix SDK bundled with Thunderbird vulnerable to an impersonation attack

A flaw was found in Mozilla. According to the Mozilla Foundation Security Advisory, Thunderbird users who use the Matrix chat protocol are vulnerable to an impersonation attack. An attacker could spoof historical messages from other users, and use a malicious key backup to the user's account unde...

PT-2021-6528 · Nextcloud +1 · Nextcloud Desktop Client +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Desktop Client versions prior to 3.3.0 Description: The issue is related to the end-to-end encryption feature of the Nextcloud Desktop Client, where the client fails to check if a private key belongs to a previously downloaded publi...

Nextcloud Trust Management Issues Vulnerability (CNVD-2021-51798)

Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. The Nextcloud Android Client prior to version 3.16.1 is vulnerable to a trust management issue that stems from the Nextcloud Android Client skipping a step th...

Open-Xchange: XSS - Guard - Insufficient escaping of User-IDs from PGP Keys

Vulnerability PGP user IDs are typically in form of name and OX Guard properly escapes angle brackets when inserting them to HTML. But in the code for displaying a list of keys it inserts IDs into HTML attributes without escaping double quote characters. javascript //...

CVE-2018-1000536

Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key creation that can result in Unauthorized code execution in the victim's machine, within the rights of th...

Cross site scripting

Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key creation that can result in Unauthorized code execution in the victim's machine, within the rights of th...

FreeBSD : password-store -- GPG parsing vulnerabilities (53eb9e1e-7014-11e8-8b1f-3065ec8fd3ec)

Jason A. Donenfeld reports : Markus Brinkmann discovered that the parsing of gpg command line output with regexes isn't anchored to the beginning of the line, which means an attacker can generate a malicious key that simply has the verification string as part of its username. This has a number of...

MGASA-2016-0301 Updated dropbear packages fix security vulnerability

Message printout was vulnerable to format string injection. If specific usernames including "%" symbols can be created on a system validated by getpwnam then an attacker could run arbitrary code as root when connecting to Dropbear server. Also, a dbclient user who can control username or host...

WindowsPT 1.2 - User ID Key Spoofing

WindowsPT 1.2 - User ID Key Spoofing source: https://www.securityfocus.com/bid/24412/info WinPT Windows Privacy Tray is prone to a key-spoofing vulnerability because it fails to properly display user-supplied key data. An attacker can exploit this issue to trick victim users into encrypting...