Lucene search
+L

140 matches found

osv
osv
added 2026/07/03 9:16 p.m.6 views

DEBIAN-CVE-2026-12481

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the Lambda layer. Specifically, the raiseforlambdadeserialization function fails to enforce the safe-mode guard when safemode is set to None, which is the default...

9.8CVSS6.6AI score0.00397EPSS
Exploits1References1
debiancve
debiancve
added 2026/07/03 8:36 p.m.9 views

CVE-2026-12481

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the Lambda layer. Specifically, the raiseforlambdadeserialization function fails to enforce the safe-mode guard when safemode is set to None, which is the default...

9.8CVSS7.7AI score0.00397EPSS
Exploits1
euvd
euvd
added 2026/07/03 8:36 p.m.8 views

EUVD-2026-41600

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the Lambda layer. Specifically, the raiseforlambdadeserialization function fails to enforce the safe-mode guard when safemode is set to None, which is the default...

8.8CVSS7.7AI score0.00397EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/07/03 12:0 a.m.11 views

PT-2026-55585

Name of the Vulnerable Software and Affected Versions keras-team/keras version 3.14.0 Description Improper handling of deserialization in the Lambda layer allows for arbitrary OS-level code execution in the context of the server or user process. The raise for lambda deserialization function fails...

9.8CVSS7.7AI score0.00397EPSS
Exploits1References7
nvd
nvd
added 2026/06/26 8:17 p.m.6 views

CVE-2026-46386

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS0.00272EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/06/26 7:26 p.m.10 views

CVE-2026-46386

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS5.8AI score0.00272EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/06/26 7:26 p.m.23 views

CVE-2026-46386 OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS0.00272EPSS
Exploits0References1
osv
osv
added 2026/06/26 7:26 p.m.3 views

CVE-2026-46386 OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`

OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRETKEYBASE=OVERWRITEME as the default Rails master key. Combined with cookiesserializer = :marshal, this gives any logged-in user a deterministic...

9.9CVSS6AI score0.00272EPSS
Exploits0References3
cve
cve
added 2026/06/26 7:26 p.m.24 views

CVE-2026-46386

OpenProject’s official docker image ships SECRET_KEY_BASE=OVERWRITE_ME and cookies_serializer = :marshal, creating a deterministic Marshal-deserialization path reachable via the /my/two_factor_devices cookie reader. This enables potential pre-authentication remote code execution, as noted in the ...

9.9CVSS5.8AI score0.00272EPSS
Exploits0References1
rosalinux
rosalinux
added 2026/05/19 2:7 p.m.18 views

Advisory ROSA-SA-2026-3276

software: ocaml 4.12.0 WASP: ROSA-CHROME unaffected versions = ocaml-4.12.0-3 affected versions ocaml-4.12.0-3 CVE-ID: CVE-2026-28364 BDU-ID: None CVE-Crit: HIGH CVE-DESC.: An out-of-buffer read vulnerability in the Marshal deserialization function runtime/intern.c in OCaml allows a remote attack...

7.9CVSS6.2AI score0.0021EPSS
Exploits0
nessus
nessus
added 2026/05/16 12:0 a.m.15 views

Amazon Linux 2023 : ruby3.4, ruby3.4-bundled-gems, ruby3.4-default-gems (ALAS2023-2026-1690)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1690 advisory. ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB...

8.1CVSS6AI score0.01131EPSS
Exploits0References4
amazon
amazon
added 2026/05/15 12:0 a.m.11 views

Important: ruby3.4

Issue Overview: ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other...

8.1CVSS6.2AI score0.01131EPSS
Exploits0
amazon
amazon
added 2026/05/14 12:0 a.m.18 views

Important: ruby

Issue Overview: ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other...

8.1CVSS6.2AI score0.01131EPSS
Exploits0
nessus
nessus
added 2026/05/14 12:0 a.m.10 views

Amazon Linux 2 : ruby, --advisory ALAS2-2026-3284 (ALAS-2026-3284)

The version of ruby installed on the remote host is prior to 2.0.0.648-36. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3284 advisory. ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance...

8.1CVSS6AI score0.01131EPSS
Exploits0References4
nessus
nessus
added 2026/05/14 12:0 a.m.9 views

TencentOS Server 4: ruby (TSSA-2026:0297)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0297 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

8.1CVSS6.1AI score0.01131EPSS
Exploits0References2
nessus
nessus
added 2026/05/09 12:0 a.m.6 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: ruby (UTSA-2026-016801)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016801 advisory. ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to...

8.1CVSS6AI score0.01131EPSS
Exploits0References4
github
github
added 2026/04/24 3:36 p.m.21 views

ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

Summary Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other public methods that also evaluate @src via eva...

8.1CVSS6.7AI score0.01131EPSS
Exploits0References4Affected Software1
snyk
snyk
added 2026/04/24 4:20 a.m.11 views

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the defmodule, defmethod, or defclass methods due to insufficient deserialization guards. An attacker can achieve arbitrary code execution by supplying crafted input to Marshal.load in a Ruby application...

9.2CVSS6.3AI score0.01131EPSS
Exploits0References2
osv
osv
added 2026/04/24 3:16 a.m.5 views

DEBIAN-CVE-2026-41316

ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other public methods th...

8.1CVSS6.1AI score0.01131EPSS
Exploits0References1
nvd
nvd
added 2026/04/24 3:16 a.m.5 views

CVE-2026-41316

ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other public methods th...

8.1CVSS0.01131EPSS
Exploits0References17
Rows per page
Query Builder