Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...

locutus is vulnerable to Prototype Pollution

Summary A Prototype Pollution vulnerability exists in the the npm package locutus 2.0.12. Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using...

The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.

...

Linux Distros Unpatched Vulnerability : CVE-2022-50334

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - hugetlbfs: fix null-ptr-deref in hugetlbfsparseparam Syzkaller reports a null-ptr-deref bug as follows: ======================================================...

DEBIAN-CVE-2022-50334

In the Linux kernel, the following vulnerability has been resolved: hugetlbfs: fix null-ptr-deref in hugetlbfsparseparam Syzkaller reports a null-ptr-deref bug as follows: ====================================================== KASAN: null-ptr-deref in range 0x0000000000000000-0x0000000000000007...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the parsestring function. An attacker can cause a denial of service by sending a malformed JSON input that lacks a trailing newline when cJSONParseWithLength is called. PoC sh "1":1, with no trailing newline...

cJSON 缓冲区错误漏洞

cJSON is a lightweight open source JSON parser from the individual developer Dave Gamble. A buffer error vulnerability exists in cJSON versions prior to 1.7.18, which stems from a heap buffer over-read in the parsestring function...

DEBIAN-CVE-2023-48039

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gfmpdparsestring mediatools/mpd.c:75...

UBUNTU-CVE-2023-48039

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gfmpdparsestring mediatools/mpd.c:75...

GPAC Security Vulnerabilities

GPAC is an open source multimedia framework. A security vulnerability exists in GPAC version 2.3-DEV-rev617-g671976fcc-master, which stems from a memory leak vulnerability in component gfmpdparsestring mediatools/mpd.c:75...

PT-2023-8888 · Gpac +2 · Gpac +2

Name of the Vulnerable Software and Affected Versions: GPAC versions 2.3-DEV-rev617-g671976fcc-master Description: The issue is related to a memory leak in the gf mpd parse string function, located in media tools/mpd.c:75, due to the lack of memory release after its effective term of service...

SUSE CVE-2007-3294

Multiple buffer overflows in libtidy, as used in the Tidy extension for PHP 5.2.3 and possibly other products, allow context-dependent attackers to execute arbitrary code via 1 a long second argument to the tidyparsestring function or 2 an unspecified vector to the tidyrepairstring function. NOTE...

SUSE CVE-2016-4303

The parsestring function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service crash or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow...

SUSE CVE-2017-6435

The parsestringnode function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service memory corruption via a crafted plist file...

SUSE CVE-2017-6436

The parsestringnode function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service memory allocation error via a crafted plist file...

SUSE CVE-2017-6439

Heap-based buffer overflow in the parsestringnode function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service out-of-bounds write via a crafted plist file...

SUSE CVE-2018-0202

clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format .pdf...

SUSE CVE-2019-20007

An issue was discovered in ezXML 0.8.2 through 0.8.6. The function ezxmlstr2utf8, while parsing a crafted XML file, performs zero-length reallocation in ezxml.c, leading to returning a NULL pointer in some compilers. After this, the function ezxmlparsestr does not check whether the s variable is...

AZL-74523 CVE-2022-45496 affecting package suitesparse 7.11.0-1

Buffer overflow vulnerability in function jsonparsestring in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 November 14, 2022 allows attackers to code arbitrary code and gain escalated privileges...

GHSA-F98M-Q3HR-P5WQ Prototype Pollution in locutus

All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parsestr function...