365143 matches found
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
Summary pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause pnpm install - ignore-scripts to replace...
GHSA-HWX4-2J3J-G496 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
Summary pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause pnpm install - ignore-scripts to replace...
js-toml has silent type confusion via falsy-primitive duplicate-key bypass
Summary js-toml's interpreter checks whether a key already exists in a parser-built container with if objectkey instead of if key in object. When the prior value is a falsy primitive — false, 0, 0n, 0.0, -0, or "" — the duplicate-key branch is skipped and the value is silently overwritten by a...
GHSA-M34P-749J-X6M6 js-toml has silent type confusion via falsy-primitive duplicate-key bypass
Summary js-toml's interpreter checks whether a key already exists in a parser-built container with if objectkey instead of if key in object. When the prior value is a falsy primitive — false, 0, 0n, 0.0, -0, or "" — the duplicate-key branch is skipped and the value is silently overwritten by a...
CVE-2026-48930
A flaw was found in Node.js. This vulnerability in the TLS Transport Layer Security hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose...
GHSA-396Q-4VC8-28X9 @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Summary @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, but the default scrubSensitiveHeaders callback in RedirectHandlerOptions uses case-sensitive property deletion delete headers.Authorization, delete...
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Summary @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, but the default scrubSensitiveHeaders callback in RedirectHandlerOptions uses case-sensitive property deletion delete headers.Authorization, delete...
GHSA-X8G9-H984-PC36 PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Summary pontedilana/php-weasyprint fetches the content of option values server-side via filegetcontents when the value looks like a URL, without restricting the URL scheme. The attachment option of Pdf is the reachable sink: any value that passes isOptionUrl filtervar..., FILTERVALIDATEURL is...
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Summary pontedilana/php-weasyprint fetches the content of option values server-side via filegetcontents when the value looks like a URL, without restricting the URL scheme. The attachment option of Pdf is the reachable sink: any value that passes isOptionUrl filtervar..., FILTERVALIDATEURL is...
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
Summary pontedilana/php-weasyprint builds the shell command for WeasyPrint by passing the binary path through escapeshellarg first and then checking the quoted result with isexecutable. On POSIX escapeshellarg'/usr/local/bin/weasyprint' returns '/usr/local/bin/weasyprint' with the single-quote...
GHSA-F5GC-QXF8-MH9G php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
Summary pontedilana/php-weasyprint builds the shell command for WeasyPrint by passing the binary path through escapeshellarg first and then checking the quoted result with isexecutable. On POSIX escapeshellarg'/usr/local/bin/weasyprint' returns '/usr/local/bin/weasyprint' with the single-quote...
Security Bulletin: Multiple Vulnerabilities in IBM Operator for PostgreSQL
Summary Multiple vulnerabilities were addressed in IBM Operator for PostgreSQL version v28.3.3. Vulnerability Details CVEID:CVE-2026-45447 DESCRIPTION: Issue summary: A specially crafted PKCS7 or S/MIME signed message could trigger a use-after-free during PKCS7 signature verification. Impact...
CVE-2026-47205
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free UAF vulnerability leading to a sudden segmentation fault exists in Envoy's extauthz HTTP filter when processing per-route authorization overrides...
GHSA-Q6RR-FM2G-G5X8 Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx
Summary The array multiplication operator array integer in Scriban allocates a result whose size is the product of the attacker-controlled integer and the array length, with no LoopLimit / LimitToString check and no overflow-safe arithmetic. A 40-byte template forces a multi-gigabyte allocation,...
Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx
Summary The array multiplication operator array integer in Scriban allocates a result whose size is the product of the attacker-controlled integer and the array length, with no LoopLimit / LimitToString check and no overflow-safe arithmetic. A 40-byte template forces a multi-gigabyte allocation,...
GHSA-WPHV-VFRH-23Q5 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization Summary Testing revealed that joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength. The normal JWS compact and flattened JSON paths reject payloads above...
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization Summary Testing revealed that joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength. The normal JWS compact and flattened JSON paths reject payloads above...
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server
Summary A directory traversal vulnerability exists in the production static file server of better-helperjs = 3.0.5. Attackers can read arbitrary files located in adjacent directory structures that share the same string prefix as the intended static root directory. Details The framework utilizes a...
GHSA-3P34-W4F6-5XH2 better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server
Summary A directory traversal vulnerability exists in the production static file server of better-helperjs = 3.0.5. Attackers can read arbitrary files located in adjacent directory structures that share the same string prefix as the intended static root directory. Details The framework utilizes a...
GHSA-FHP4-PR5J-46M5 Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key
Summary A NULL pointer dereference vulnerability exists in PDFParser::CreateFilterForStream when processing a PDF stream with /Filter /LZWDecode and a /DecodeParms dictionary that does not contain the EarlyChange key. This causes an access violation 0xC0000005 and crashes the process. Affected...