PT-2026-42227

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: golang (UTSA-2026-016817)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016817 advisory. The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to ...

Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for April 2026.

Summary Security vulnerabilities are addressed with IBM Business Automation Insights 24.0.0-IF007 and 25.0.1-IF001. These vulnerabilities have been also adressed in 24.0.1-IF007 and 25.0.0-IF004. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs...

Arbitrary Code Injection

Overview org.webjars.npm:math-codegen is a Generates code from mathematical expressions Affected versions of this package are vulnerable to Arbitrary Code Injection via the parse function. An attacker can execute arbitrary code by supplying crafted input that is injected directly into a dynamical...

Prototype Pollution

Overview org.webjars.npm:protocol-buffers-schema is a No nonsense protocol buffers schema parser written in Javascript Affected versions of this package are vulnerable to Prototype Pollution via the parse function. An attacker can modify object prototypes, potentially altering application logic,...

Fedora 43 : rubygem-json (2026-8c07fcde49)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-8c07fcde49 advisory. This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210 Tenable has extracted the...

UBUNTU-CVE-2026-33228

flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with th...

CVE-2026-33228 flatted: Prototype Pollution via parse()

flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with th...

CVE-2026-33228 flatted: Prototype Pollution via parse()

flatted is a circular JSON parser. Prior to version 3.4.2, the parse function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with th...

CVE-2026-32141

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow...

GHSA-CFW5-2VXH-HR84 devalue has prototype pollution in devalue.parse and devalue.unflatten

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service DoS or type confusion...

CVE-2026-30226 devalue has prototype pollution in devalue.parse and devalue.unflatten

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

CVE-2026-30226

In Svelte devalue (v5.6.3 and earlier), the functions devalue.parse and devalue.unflatten are vulnerable to prototype pollution via malicious payloads, potentially enabling Denial of Service or type confusion. The issue is fixed in v5.6.4. Affected: the devalue library used to serialize values in...

CVE-2026-30226 devalue has prototype pollution in devalue.parse and devalue.unflatten

Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could...

UBUNTU-CVE-2026-25679

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in qs-6.13.0.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in qs-6.13.0.tgz Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. SummaryThe arrayLimit option in qs does not enforce...

GHSA-W4GW-W5JQ-G9JH golang.org/x/net/html has a Quadratic Parsing Complexity issue

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to Denial of Service DoS if an attacker provides specially crafted HTML content...

AZL-76913 CVE-2025-58190 affecting package containerized-data-importer 1.62.0-1

The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content...

CVE-2025-47911

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content...

AZL-77096 CVE-2025-47911 affecting package sriov-network-device-plugin 3.7.0-4

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content...