CVE-2026-46739

A flaw was found in perl-Net-Statsd. This vulnerability allows an attacker to inject additional statsd metrics due to insufficient validation of metric names and values. Specifically, the software does not properly check for newlines, colons, or pipes in metric names, nor does it ensure that valu...

EUVD-2026-34295

Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The updatestats used for updating counters and gauge methods do not check that values...

CVE-2026-46739 Net::Statsd versions before 0.13 for Perl allow metric injections

Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The updatestats used for updating counters and gauge methods do not check that values...

CVE-2026-46739 Net::Statsd versions before 0.13 for Perl allow metric injections

Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The updatestats used for updating counters and gauge methods do not check that values...

CVE-2026-46739

Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The updatestats used for updating counters and gauge methods do not check that values...

PT-2026-46264

Name of the Vulnerable Software and Affected Versions Net::Statsd versions prior to 0.13 Description Net::Statsd for Perl allows metric injections because metric names are not validated for newlines, colons, or pipes. This allows metrics generated from untrusted sources to inject additional stats...

CVE-2026-33297

WWBN AVideo is an open source video platform. Prior to version 26.0, the setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numer...

CVE-2026-33297

CVE-2026-33297 affects WWBN AVideo prior to version 26.0. A logic error in CustomizeUser/setPassword.json.php coerces any non-numeric ProfilePassword to 0 via intval(), causing the stored channel password to become 0. This enables any visitor to bypass channel-level access controls by entering 0....

CVE-2026-33297 AVideo has an IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

WWBN AVideo is an open source video platform. Prior to version 26.0, the setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numer...

CVE-2026-33228

flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with th...

Prototype Pollution via parse() in NodeJS flatted

--- Summary The parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "\proto\" returns Array.prototype via the...

GHSA-6547-8HRG-C55M AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

Summary The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before...

PT-2026-26475

Summary The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before...

UBUNTU-CVE-2026-31870

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API httplib::stream::Get, httplib::stream::Post, etc., the library calls std::stoull directly on the Content-Length header value received from the server...

EUVD-2006-5636

Malware in sbrugna...

EUVD-2021-0953

Malware in sbrugna...

Prototype Pollution

devalue is vulnerable to prototype pollution. The vulnerability is due to devalue.parse not validating that an index is numeric, which allows an attacker to pass a crafted string with a proto property to assign prototypes to objects and properties...

CVE-2025-57820

CVE-2025-57820 affects the JavaScript library devalue (used with Svelte). Prior to version 5.3.2, parsing payloads with devalue.parse could allow a proto property and non-numeric indices to be treated in dangerous ways, enabling prototype pollution on objects via the prototype chain. The issue is...

CVE-2021-29513

TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++...

AZL-70135 CVE-2023-53093 affecting package kernel 5.15.200.1-1

In the Linux kernel, the following vulnerability has been resolved: tracing: Do not let histogram values have some modifiers Histogram values can not be strings, stacktraces, graphs, symbols, syscalls, or grouped in buckets or log. Give an error if a value is set to do so. Note, the histogram cod...