GHSA-8QF3-X8V5-2PJ8 uv allows ZIP payload obfuscation through parsing differentials

Impact In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers: 1. An attacker could contrive a ZIP...

uv allows ZIP payload obfuscation through parsing differentials

Impact In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers: 1. An attacker could contrive a ZIP...

GHSA-754F-8GM6-C4R2

creationtimestamp| type| source ---|---|--- 2025-03-12 20:07:18+00:00| seen| https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/ 2025-03-12 21:40:48+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/7388 2025-03-13...

CVE-2024-45409

creationtimestamp| type| source ---|---|--- 2024-09-10 21:46:54+00:00| seen| https://t.me/cvedetector/5296 2024-09-12 10:08:54+00:00| published-proof-of-concept| https://t.me/HackingInsights/12851 2024-09-18 09:07:12+00:00| seen| https://t.me/HackingInsights/13399 2024-09-19 04:00:00+00:00| seen|...

Link Preload XSS

Description Link preloads do not effectively confirm if the requested link is external. Parser differentials can be used to bypass existing external URL check. Root Cause payload.client.ts contains the following code on link prefetch: ts nuxtApp.hooks.hook'link:prefetch', url = if...

CVE-2026-45066: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification

More info at https://symfony.com/cve-2026-45066...