23 matches found
foreman: Foreman: Information disclosure via improper validation of nested request parameters
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomyscope controller method does not properly validate organization and location IDs from nested request parameters,...
foreman: Foreman: Information disclosure via improper validation of nested request parameters
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomyscope controller method does not properly validate organization and location IDs from nested request parameters,...
foreman: Foreman: Information disclosure via improper validation of nested request parameters
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomyscope controller method does not properly validate organization and location IDs from nested request parameters,...
CVE-2026-5138 Foreman: foreman: information disclosure via improper validation of nested request parameters
A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomyscope controller method does not properly validate organization and location IDs from nested request parameters,...
CVE-2026-54297 Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nestin...
CVE-2026-54297
CVE-2026-54297 (Faraday) : Uncontrolled recursion in Faraday::NestedParamsEncoder during decoding of nested query strings can create deeply nested Ruby Hashes, leading to a stack exhaustion DoS. Affected versions are Faraday 1.0.0 through 1.10.6 and 2.14.3. The vulnerability is fixed in 1.10.6 an...
CVE-2026-54892
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...
CVE-2026-54892 Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...
EUVD-2026-38446
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...
CVE-2026-54892 Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the NestedParamsEncoder module through the dehash routine. An attacker can cause the application to crash and exhaust system resources by submitting a deeply nested query string that triggers uncontrolled...
PT-2026-51060
Name of the Vulnerable Software and Affected Versions Faraday versions prior to 2.14.2-2-g59334e0 Description Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder, decodes nested query strings without enforcing a maximum nesting depth. An attacker can provide a crafted...
CVE-2026-4776
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the API contact filtering due to insufficient recursive sanitization of nested query parameters. An attacker can execute arbitrary SQL commands and potentially access sensitive data or disrupt database integrity by...
CVE-2026-4776
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...
CVE-2026-4776
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...
CVE-2026-4776
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...
CVE-2026-4776
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands...
PT-2021-21349 · Unknown +2 · Ublock Origin +2
Name of the Vulnerable Software and Affected Versions: uBlock Origin versions prior to 1.36.2 nMatrix versions prior to 4.4.9 Description: The issue allows crafted web sites to cause a denial of service due to unbounded recursion, which can trigger memory consumption and a loss of all blocking...
rubygem-activerecord: SQL injection when processing nested query paramaters
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query...