Lucene search
K

465 matches found

CNNVD
CNNVD
added 2026/05/13 12:0 a.m.10 views

protobuf.js 安全漏洞

protobuf.js is an open-source implementation of the Protocol Buffer library, written entirely in JavaScript. It supports protocols for Node.js and browsers using TypeScript. It’s easy to use, extremely fast, and can be used out of the box with.proto files. Versions prior to 7.5.8 and 8.2.0 of...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 7:20 p.m.18 views

CVE-2026-42355

CVE-2026-42355 affects NanaZip, an open‑source file archive. The issue is an uncontrolled recursion in the Electron Archive (ASAR) parser when opening a crafted .asar with deeply nested JSON in the header. The recursion occurs in both nlohmann::json::parse and the handler’s GetAllPaths, consuming...

5.5CVSS5.8AI score0.00111EPSS
Exploits0References1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/10 12:0 a.m.18 views

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python3 (SUSE-SU-2026:1715-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1715-1 advisory. - CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined...

9.1CVSS6.9AI score0.00621EPSS
Exploits1References31
Tenable Nessus
Tenable Nessus
added 2026/05/09 12:0 a.m.8 views

Unity Linux 20.1070e Security Update: expat (UTSA-2026-017383)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017383 advisory. In Expat aka libexpat before 2.4.5, an attacker can trigger stack exhaustion in buildmodel via a large nesting depth in the DTD element. Tenable has extracted the...

6.5CVSS6.7AI score0.03268EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/07 5:13 a.m.9 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when the VM is set up...

9.2CVSS6.3AI score0.009EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/07 5:13 a.m.19 views

vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...

9.9CVSS6.5AI score0.009EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/05/07 5:13 a.m.4 views

GHSA-8HG8-63C5-GWMX vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...

9.1CVSS6.5AI score0.009EPSS
Exploits1References5
Snyk
Snyk
added 2026/05/07 5:13 a.m.7 views

Improper Isolation or Compartmentalization

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when th...

9.9CVSS6.3AI score0.009EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/07 3:40 a.m.13 views

EUVD-2026-28288

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DO...

8.7CVSS5.7AI score0.00643EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.15 views

PT-2026-37337

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.1 Description When a NodeVM is created with the nesting variable set to true, sandbox code can unconditionally use require'vm2' regardless of the outer VM's require configuration, including when require is set to...

9.9CVSS6.6AI score0.009EPSS
Exploits1References16
Tenable Nessus
Tenable Nessus
added 2026/04/27 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-31647

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - idpf: fix PREEMPTRT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpfvcxn struct. The...

5.5CVSS6.1AI score0.00122EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/24 6:1 p.m.4 views

CVE-2026-42039 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

6.9CVSS5.2AI score0.00744EPSS
Exploits1References1
NVD
NVD
added 2026/04/24 3:16 p.m.6 views

CVE-2026-31647

In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPTRT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpfvcxn struct. The conversion is safe because complete/all are called outside the lock and...

5.5CVSS0.00122EPSS
Exploits0References4
CVE
CVE
added 2026/04/24 2:45 p.m.20 views

CVE-2026-31647

CVE-2026-31647 concerns the Linux kernel idpf driver. The vulnerability stems from improper nesting of PREEMPT_RT raw/BH spinlocks during asynchronous VC handling, which could yield an invalid wait context. A fix switches from the completion’s raw spinlock to a local lock in the idpf_vc_xn struct...

5.5CVSS5.4AI score0.00122EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/24 2:45 p.m.28 views

CVE-2026-31647 idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling

In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPTRT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpfvcxn struct. The conversion is safe because complete/all are called outside the lock and...

0.00122EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.10 views

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions prior to Axios 1.15.1 and 0.31.1 contain security vulnerabilities. These vulnerabilities stem from the recursive traversal of nested objects in toFormData, which allows for unlimited depth of nested values. This can lead to Node.js...

7.5CVSS5.8AI score0.00744EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.7 views

PT-2026-34999

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the idpf driver regarding PREEMPT RT raw/bh spinlock nesting during asynchronous VC handling. The problem occurs because the async handler takes a BH spinlock while...

5.2AI score0.00122EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/04/22 8:23 p.m.43 views

xmldom: Uncontrolled recursion in XML serialization leads to DoS

Summary Seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. Reported operations: - Node.prototype.normalize — reported by @praveen-kv email 2026-04-05 and...

8.7CVSS6.1AI score0.00643EPSS
Exploits0References14Affected Software2
RedHat Linux
RedHat Linux
added 2026/04/22 7:1 a.m.13 views

perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files

A flaw was found in XML::Parser, a Perl module for parsing XML. This vulnerability, an off-by-one heap buffer overflow, occurs when processing an XML file with very deep element nesting. A remote attacker could exploit this by providing a specially crafted XML file, potentially leading to memory...

9.8CVSS5.9AI score0.00548EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.12 views

PT-2026-34616

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier Description Seven recursive traversals in lib/dom.js operate without a depth limit. When processing a sufficiently deeply nested...

8.7CVSS5.8AI score0.00643EPSS
Exploits0References26
Rows per page
Query Builder