Lucene search
K

15095 matches found

Debian CVE
Debian CVE
added 6 days ago4 views

CVE-2026-53192

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at sndtimeruserparams At releasing a timer object, e.g. when a userspace timer CONFIGSNDUTIMER gets closed and sndtimerfree is called, it tries to detach the timer instances and release the resources. However...

7.8CVSS5.7AI score0.00134EPSS
Exploits0
CVE
CVE
added 6 days ago11 views

CVE-2026-53192

CVE-2026-53192 — Linux kernel ALSA timer UAF fix The vulnerability affects the ALSA timer path (snd_timer_user_params) in the Linux kernel. A race can occur during timer object release when a concurrent SNDRV_TIMER_IOCTL_PARAMS ioctl is in flight, potentially leading to a use-after-free if anothe...

7.8CVSS5.8AI score0.00134EPSS
Exploits0References4
NVD
NVD
added 6 days ago10 views

CVE-2026-8665

OS Command Injection vulnerability in the TR action of Rapid7 InsightConnect Translate Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to insufficient input sanitization in shell command construction...

9.8CVSS0.00675EPSS
Exploits0References1
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-39159

OS Command Injection vulnerability in Rapid7 InsightConnect Finger Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the user or host parameters due to insufficient input validation in shell command construction...

6CVSS6.2AI score0.00833EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 6 days ago9 views

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters

A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during...

7.5CVSS5.8AI score0.00389EPSS
Exploits0References9
Cvelist
Cvelist
added last week33 views

CVE-2026-54297 Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nestin...

7.5CVSS0.00391EPSS
Exploits1References1
CVE
CVE
added last week46 views

CVE-2026-54297

CVE-2026-54297 (Faraday) : Uncontrolled recursion in Faraday::NestedParamsEncoder during decoding of nested query strings can create deeply nested Ruby Hashes, leading to a stack exhaustion DoS. Affected versions are Faraday 1.0.0 through 1.10.6 and 2.14.3. The vulnerability is fixed in 1.10.6 an...

7.5CVSS5.9AI score0.00391EPSS
Exploits1References4Affected Software1
RedHat Linux
RedHat Linux
added last week4 views

LibreOffice: LibreOffice: Denial of Service via crafted OOXML documents

A flaw was found in LibreOffice. A remote attacker could exploit this out-of-bounds write vulnerability by tricking a user into opening a specially crafted OOXML Office Open XML document with mismatched encryption salt parameters. This could lead to a denial of service DoS, making the application...

7.8CVSS5.9AI score0.00078EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/23 9:21 p.m.23 views

jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation

jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container...

8.1CVSS6.2AI score0.00617EPSS
Exploits1References4Affected Software2
OSV
OSV
added 2026/06/23 9:21 p.m.2 views

GHSA-J3RV-43J4-C7QM jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation

jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container...

8.1CVSS6.2AI score0.00617EPSS
Exploits1References4
OSV
OSV
added 2026/06/23 9:17 p.m.5 views

DEBIAN-CVE-2026-54512

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS5.8AI score0.00617EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/06/23 9:17 p.m.7 views

jackson-databind has a @JsonView bypass for unwrapped creator parameters

Summary UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults prop.visibleInViewactiveView. The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses tha...

6.5CVSS5.9AI score0.00211EPSS
Exploits0References6Affected Software2
NVD
NVD
added 2026/06/23 9:17 p.m.12 views

CVE-2026-54512

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS0.00617EPSS
Exploits1References3
OSV
OSV
added 2026/06/23 9:17 p.m.3 views

UBUNTU-CVE-2026-54512

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS5.8AI score0.00617EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/06/23 9:2 p.m.27 views

CVE-2026-54518 jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...

6.5CVSS0.00211EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/23 9:2 p.m.6 views

EUVD-2026-38629

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...

6.5CVSS5.9AI score0.00211EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2026/06/23 8:56 p.m.6 views

CVE-2026-54512

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS5.8AI score0.00617EPSS
Exploits1
CVE
CVE
added 2026/06/23 8:56 p.m.53 views

CVE-2026-54512

jackson-databind contains a PolymorphicTypeValidator (PTV) bypass vulnerability. When polymorphic typing is enabled and the type ID includes generic parameters, DatabindContext._resolveAndValidateGeneric() validates only the raw container class name, then parses the full canonical type without va...

8.1CVSS5.8AI score0.00617EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/06/23 8:56 p.m.29 views

CVE-2026-54512 jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbitrary class instantiation

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS0.00617EPSS
Exploits1References3
EUVD
EUVD
added 2026/06/23 8:56 p.m.7 views

EUVD-2026-38595

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

8.1CVSS5.8AI score0.00617EPSS
Exploits1References3
Rows per page
Query Builder