PT-2026-42043

Impact In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. Patches Versions 4.2.0 and up contain a configurable parse node...

ALSA-2026:19361 Moderate: glib2 security update

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fixes: glib: GLib: Buffer underflow...

Malicious code in byte-parser (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

limit-size (>=0.1.3 <=0.1.4), limit-size-webpack-plugin (>=1.0.0 <=1.0.5) potentially affected by unknown CVE via byte-parser (=1.0.0)

byte-parser NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on byte-parser and may be impacted: - limit-size =0.1.3, =1.0.0, =1.0.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3846...

@bassist/eslint-config (>=0.3.0 <=0.5.0), @bassist/oxc-integration (>=0.1.0 <=0.2.0) +10 more potentially affected by unknown CVE via @lint-md/parser (>=0.0.11 <=0.0.9)

@lint-md/parser NPM version =0.0.11, =0.3.0, =0.1.0, =2.0.0, =2.0.0, =2.1.4, =2.1.4, =4.1.0, =1.1.0, =1.19.7, =1.1.0, =1.0.0, =1.3.4, =1.3.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4125...

Malicious code in @lint-md/parser (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

ALSA-2026:19148 Moderate: glib2 security update

GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fixes: glib: GLib: Buffer underflow...

PT-2026-41879

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw in the URL validation logic during redirect operations allows an attacker to bypass validation and redirect users to unauthorized URLs. This occurs when Keycloak clients are configure...

OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI

Summary A remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large values and adds the payload delimite...

OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages

Summary Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated...

CVE-2026-8735

A vulnerability was identified in Oinone Pamirs up to 7.2.0. This affects the function JsonUtils.parseMap of the file PamirsParserConfig.java of the component appConfigQuery Interface. Such manipulation leads to deserialization. The attack can be launched remotely. The exploit is publicly availab...

CVE-2026-41895

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpathfilter switches to XML mode for XML/RSS content and creates etree.XMLParserstripcdata=False without explicitly disabling external entity resolution, external DTD loading, or network-backed entity...

GHSA-PGVV-Q3WF-MM9M OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads

Summary The Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic. Details The vulnerable logic is in pkg/ebpf/common/sqldetectpostgres.go. In th...

GHSA-WP73-MWGF-4JQ9 OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent

Summary OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language. Details...

CVE-2026-41650

A flaw was found in fast-xml-parser. The XMLBuilder component does not properly escape specific sequences "--" in comments and "" in CDATA sections when constructing XML from JavaScript objects. This vulnerability allows an attacker to perform XML injection if user-controlled data is processed...

JLSEC-2026-507

LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser::parseCompoundSelector in parserselectors.cpp...

jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers

A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the jvparsesized function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the erro...

jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers

A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the jvparsesized function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the erro...

avalon-filter-rce

Title: Prototype Escape and Remote Code Execution in RubyLouv...

CVE-2024-13971

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobsterpro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services...