465 matches found
protobuf.js 安全漏洞
protobuf.js is an open-source implementation of the Protocol Buffer library, written entirely in JavaScript. It supports protocols for Node.js and browsers using TypeScript. It’s easy to use, extremely fast, and can be used out of the box with.proto files. Versions prior to 7.5.8 and 8.2.0 of...
CVE-2026-42355
CVE-2026-42355 affects NanaZip, an open‑source file archive. The issue is an uncontrolled recursion in the Electron Archive (ASAR) parser when opening a crafted .asar with deeply nested JSON in the header. The recursion occurs in both nlohmann::json::parse and the handler’s GetAllPaths, consuming...
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python3 (SUSE-SU-2026:1715-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1715-1 advisory. - CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined...
Unity Linux 20.1070e Security Update: expat (UTSA-2026-017383)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017383 advisory. In Expat aka libexpat before 2.4.5, an attacker can trigger stack exhaustion in buildmodel via a large nesting depth in the DTD element. Tenable has extracted the...
Improper Isolation or Compartmentalization
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when the VM is set up...
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...
GHSA-8HG8-63C5-GWMX vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...
Improper Isolation or Compartmentalization
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when th...
EUVD-2026-28288
xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DO...
PT-2026-37337
Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.1 Description When a NodeVM is created with the nesting variable set to true, sandbox code can unconditionally use require'vm2' regardless of the outer VM's require configuration, including when require is set to...
Linux Distros Unpatched Vulnerability : CVE-2026-31647
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - idpf: fix PREEMPTRT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpfvcxn struct. The...
CVE-2026-42039 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...
CVE-2026-31647
In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPTRT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpfvcxn struct. The conversion is safe because complete/all are called outside the lock and...
CVE-2026-31647
CVE-2026-31647 concerns the Linux kernel idpf driver. The vulnerability stems from improper nesting of PREEMPT_RT raw/BH spinlocks during asynchronous VC handling, which could yield an invalid wait context. A fix switches from the completion’s raw spinlock to a local lock in the idpf_vc_xn struct...
CVE-2026-31647 idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling
In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPTRT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpfvcxn struct. The conversion is safe because complete/all are called outside the lock and...
Axios 安全漏洞
Axios is an open-source HTTP client developed by Axios. Versions prior to Axios 1.15.1 and 0.31.1 contain security vulnerabilities. These vulnerabilities stem from the recursive traversal of nested objects in toFormData, which allows for unlimited depth of nested values. This can lead to Node.js...
PT-2026-34999
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the idpf driver regarding PREEMPT RT raw/bh spinlock nesting during asynchronous VC handling. The problem occurs because the async handler takes a BH spinlock while...
xmldom: Uncontrolled recursion in XML serialization leads to DoS
Summary Seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. Reported operations: - Node.prototype.normalize — reported by @praveen-kv email 2026-04-05 and...
perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files
A flaw was found in XML::Parser, a Perl module for parsing XML. This vulnerability, an off-by-one heap buffer overflow, occurs when processing an XML file with very deep element nesting. A remote attacker could exploit this by providing a specially crafted XML file, potentially leading to memory...
PT-2026-34616
Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier Description Seven recursive traversals in lib/dom.js operate without a depth limit. When processing a sufficiently deeply nested...