CLSA-2026-1778143159 jq: Fix of 2 CVEs

CVE-2026-33948: fix NUL truncation in JSON parser validation bypass - CVE-2026-33947: fix unbounded recursion stack overflow in jvsetpath/getpath/delpaths...

CLSA-2026-1778142360 jq: Fix of 2 CVEs

CVE-2026-33947: limit path depth in jvsetpath, jvgetpath, and jvdelpaths to prevent stack overflow from deep path arrays - CVE-2026-33948: remove strlen-based length calculation that truncated JSON input at embedded NUL bytes, preventing parser-differential attacks...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...

CVE-2026-41139

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0...

EUVD-2026-28310

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0...

CVE-2026-41139 Unsafe array index getter in mathjs

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0...

CVE-2026-41139 Unsafe array index getter in mathjs

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0...

CVE-2026-41139

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0...

CVE-2026-41139

CVE-2026-41139 affects mathjs: Unsafe array index getter in the expression parser allows arbitrary JavaScript execution. The issue was present from version 13.1.0 up to before 15.2.0 and has been patched in 15.2.0. Impact is high (CVSSv3.0: 8.8, network attack vector, user interaction: none, priv...

CLSA-2026-1778129970 python3.11: Fix of 7 CVEs

CVE-2026-0672: reject control characters in http.cookies cookie names, values, and parameters to prevent header injection - CVE-2026-3644: reject control characters in Morsel.update, |= operator, and unpickling paths missed by CVE-2026-0672; add output validation to BaseCookie.jsoutput -...

CLSA-2026-1778128255 wireshark: Fix of 8 CVEs

CVE-2022-0585: fix large/infinite loops in multiple dissectors AMP, ATN-ULCS, BP, GDSDB, PMUL, WAP, ZigBee ZCL, OpenFlow v5/v6, IPDC, TDS, ASN.1 PER, FTUINTBYTES/STRING - CVE-2022-4344: fix Kafka dissector memory exhaustion via decompression/loop bounds - CVE-2023-0666: fix RTPS dissector...

CVE-2026-41672

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or...

Unsafe Dependency Resolution

Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution due to improper validation of HTTPS certificates in the parser process. An attacker can inject or modify remote CSS content by performing a man-in-the-middle attack during stylesheet loading over HTTPS...

CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content

Summary The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle MITM attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFYNONE, meaning any HTTPS certificate—even entirely untrusted—will...

GHSA-FF6C-W6QF-7XQC CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content

Summary The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle MITM attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFYNONE, meaning any HTTPS certificate—even entirely untrusted—will...

Exploit for Prototype Pollution in N8N

GHSA-q5f4-99jv-pgg5 — n8n XML Webhook Prototype Pollution → RC...

CVE-2025-63704

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...

Query String Parser 安全漏洞

Query String Parser is a JavaScript tool for parsing query strings developed by Victor Teo. Version 1.0.0 of Query String Parser has a security vulnerability. This vulnerability arises from improper cleaning of query parameters provided by users and their merging into newly created objects, which...

PT-2026-38624

Name of the Vulnerable Software and Affected Versions Microsoft APM versions prior to 0.8.12 Description Microsoft APM normalizes marketplace plugins by copying components referenced in plugin.json into the .apm/ directory. The implementation fails to verify that the paths specified in the agents...

CVE-2025-63704

CVE-2025-63704 affects the NPM package [email protected] and is caused by improper sanitization of user-supplied query parameters, leading to prototype pollution (merging inputs into a newly created object). The CVSS v3.1 base score reported is 9.8 (CRITICAL) with network attack vector, n...