388 matches found
CVE-2026-30623
CVE-2026-30623 affects LiteLLM 1.18.10 via the MCP server creation feature. The vulnerability arises when MCP configuration JSON can set arbitrary values for command and args, which LiteLLM executes on the host without validation, enabling remote code execution with the LiteLLM process privileges...
CVE-2026-30623
LiteLLM 1.18.10 contains a remote code execution vulnerability in its MCP server creation functionality. The application allows users to add MCP servers via a JSON configuration specifying arbitrary command and args values. LiteLLM executes these values on the host without validation, enabling...
CVE-2026-61505 Rejetto HFS < 3.2.1 Limited File Disclosure via Path Traversal in lang Parameter
Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. Exploitation is constrained to files matching a narrow naming and format pattern, limiting practical impact...
Linux Distros Unpatched Vulnerability : CVE-2026-49844
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issu...
[SECURITY] Fedora 44 Update: rust-jiter-0.16.0-1.fc44
Fast Iterable JSON parser...
[SECURITY] Fedora 44 Update: python-jiter-0.16.0-1.fc44
Fast iterable JSON parser...
OPENSUSE-SU-2026:21210-1 Security update for google-osconfig-agent
This update for google-osconfig-agent fixes the following issues - CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too many headers. - CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents bsc1251453. -...
CVE-2026-9563
A flaw was found in Eclipse Parsson. The JSON parser did not enforce a default maximum on the number of characters consumed while processing a single JSON document. A remote attacker could exploit this by providing a very large, specially crafted JSON document. This could force applications to...
PT-2026-54936
Name of the Vulnerable Software and Affected Versions Eclipse Parsson versions prior to 1.1.8 Description The JSON parser does not enforce a default maximum on the number of characters consumed when parsing a single JSON document. This allows an attacker to provide specially crafted JSON document...
CVE-2026-53426 Atom-table exhaustion denial-of-service via JSON parse_document in MDEx
Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation. MDEx.parsedocument/2 accepts a :json, json source. In lib/mdex.ex, the private jsontonode/1 function passes the attacker-controlled nodetype value to Module.concat/1, which calls...
PYSEC-2026-319 Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
Summary The safeevalexpression function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes giframe, fback, fbuiltins do NOT start with underscore, enabling a complete sandbox escape to achieve...
RLSA-2023:6976 Moderate: libfastjson security update
The libfastjson library provides essential JavaScript Object Notation JSON handling functions. The library enables users to construct JSON objects in C, output them as JSON-formatted strings, and convert JSON-formatted strings back to the C representation of JSON objects. Security Fixes: json-c,...
CVE-2026-54350
Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write...
EUVD-2026-39145
Quest NetVault Backup NVBULibraryPort SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...
CVE-2026-9785
Quest NetVault Backup NVBULibrarySlot SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...
CVE-2026-48028
Mastodon (open-source social network server) versions prior to 4.5.10, 4.4.17, and 4.3.23 are affected. The vulnerability arises from how incoming activities signed with Linked-Data Signatures are normalized, failing to adequately protect against a class of spoofing that lets an attacker remove J...
CVE-2026-46349 Mastodon: LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing attackers to...
PT-2026-51140
Name of the Vulnerable Software and Affected Versions WordPress Time Capsule Plugin version 1.21.16 Description An authentication bypass allows unauthenticated attackers to gain administrative access by sending a crafted POST request containing the IWP JSON PREFIX header. This flaw enables the...
CVE-2026-10825
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot...
CVE-2026-49847 FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes...