EUVD-2026-38387

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for...

EUVD-2026-38386

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed...

EUVD-2026-38384

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack...

EUVD-2026-38382

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining...

CVE-2026-42600

Summary of the vulnerability (CVE-2026-42600) : MinIO’s ReadMultiple internode storage-REST endpoint is vulnerable to path traversal when processing a msgpack-encoded ReadMultipleReq body. An attacker holding the cluster root JWT can craft a request to POST /minio/storage/{drivePath}/v63/rmpl wit...

GHSA-H9Q6-HC68-35RP Denial of service in github.com/shamaton/msgpack

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data format codes 0xd4-0xd8. This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack...

CVE-2026-2454

Mattermost vulnerability CVE-2026-2454 affects Mattermost server versions 11.3.x (≤11.3.0), 11.2.x (≤11.2.2), and 10.11.x (≤10.11.10). The issue arises from incorrect handling of array lengths in error reports, enabling a malicious user to trigger OOMs and crash the server by sending corrupted ms...

Deserialization of Untrusted Data

Overview langgraph is a Building stateful, multi-actor applications with LLMs Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the msgpack-encoded checkpoints. An attacker can execute arbitrary code by supplying a crafted msgpack-encoded payload to the...

Deserialization of Untrusted Data

Overview langgraph-checkpoint is a library with base interfaces for LangGraph checkpoint savers. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the msgpack-encoded checkpoints. An attacker can execute arbitrary code by supplying a crafted msgpack-encoded...

EUVD-2026-9860

LangGraph checkpoint loading has unsafe msgpack deserialization...

msgpacker security vulnerability

msgpacker is a fast MessagePack NodeJS/JavaScript implementation. A security vulnerability exists in versions of msgpacker prior to 1.10.1, which stems from the fact that when decoding a user-supplied MessagePack message, an attacker can craft the message in such a way that the decoder triggers...

CVE-2021-46878

An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flbpackmsgpacktojsonformat leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free. This can be used by an attacker to craft a specially craft file an...