EUVD-2025-210106

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

CVE-2025-71329

The CVE-2025-71329 vulnerability affects image-size up to version 2.0.2 and is triggered by a crafted image buffer containing a zero-valued size field in a recognized box-type, causing an infinite loop in the JXL or HEIF parsers and permanently blocking the Node.js event loop (DoS). Impact is den...

Apache Tika - XML External Entity Injection

Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1, and tika-parsers 1.13-1.28.5 contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input. id: CVE-2025-66516 info: nam...

DEBIAN-CVE-2025-55658

GPAC MP4Box v2.4 was discovered to contain a floating point exception in the gfopusparsepacketheader function mediatools/avparsers.c. bThis vulnerability allows attackers to cause a Denial of Service DoS via a crafted MP4 file...

PT-2026-48158

A segmentation violaton in the gf hevc read sps bs internal function media tools/av parsers.c of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service DoS via supplying crafted HEVC SPS data...

PT-2026-47173

$1,000 of compute found 21 zero-days in FFmpeg. An autonomous agent called depthfirst scanned roughly 1.5 million lines of C, then wrote a reproducible proof-of-concept for every bug it reported. The shift is that second half. Not a list of suspicious lines for a human to chase, but 21 crashing...

CVE-2024-2374

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. ...

Docling: Unsafe XML Entity Expansion in USPTO Patent Backend

Impact The USPTO patent XML parser used the standard xml.sax.parseString without protection against XML External Entity XXE attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could: - Read arbitrary files from the server filesystem - Perform...

PT-2026-46101

Impact The USPTO patent XML parser used the standard xml.sax.parseString without protection against XML External Entity XXE attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could: - Read arbitrary files from the server filesystem - Perform...

CVE-2026-45921

A flaw was found in the Linux kernel's mtd: parsers component. A memory leak occurs in the mtdparsertplinksafeloaderparse function. This happens when a buffer is allocated but not freed if a subsequent allocation for a part name fails, leading to unreleased memory. This could potentially lead to...

CVE-2026-39803

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when...

CVE-2026-44353

CVE-2026-44353 affects Streamlink (CLI) prior to 8.4.0. The HLS/DASH parsers do not validate the URI scheme of segment entries, so a remote .m3u8 or .mpd manifest can reference file:// URIs. Streamlink may read local files and write their contents to the output stream, enabling potential disclosu...

CVE-2026-2253

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities...

PT-2026-43483

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities...

CVE-2026-45921

mtd: parsers: Fix memory leak in mtdparsertplinksafeloaderparse...

SUSE CVE-2026-39829

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection in the use of SchemaFactory.newInstance and TransformerFactory.newInstance without applying FEATURESECUREPROCESSING. An attacker can access sensitive files or interact with internal systems by submittin...

UBUNTU-CVE-2026-39829

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public...

CVE-2026-39829

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public...

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, where the RSA and DSA public key parsers do not enforce size limits on key parameters, which may caus...