CVE-2026-46526

CVE-2026-46526 concerns Local Deep Research. Before version 1.6.10, the URL validation flow had a logical flaw that could bypass SSRF protections because parsing differed between urlparse and the HTTP request library. The code first runs SSRF checks via validate_url and then uses requests.get to ...

PT-2026-44472

Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate url to validate the input URL. Th...

PT-2026-44135

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. The configuration methods allowLinkHosts... and allowLinkSchemes... are intended to restrict targets to an allowlist of hosts/schemes; allowMediaHosts / allowMediaSchemes do the same for etc. Three distinct bypasses all...

Open WebUI 代码问题漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.5 had code issues and vulnerabilities, which were caused by parsing differences between the urlparse and requests libraries, leading to SSRF bypasses...

go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

Impact go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally,...

EUVD-2026-16696

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

CVE-2026-28368

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

CVE-2025-61732 Potential code smuggling via doc comments in cmd/cgo

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary...

vLLM code issues and vulnerabilities

vLLM is an open-source solution designed for LLM-based models, featuring high throughput and memory-efficient reasoning and service engines. Prior to vLLM 0.14.1, there were code-related vulnerabilities. These vulnerabilities stemmed from differences in the interpretation of backslashes by variou...

UBUNTU-CVE-2025-66567

The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different...

EUVD-2021-1568

Malware in sbrugna...

BIT-LIBPYTHON-2025-0938 URL parser allowed square brackets in domain names

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in...

python: cpython: URL parser allowed square brackets in domain names

A flaw was found in Python. The Python standard library functions urllib.parse.urlsplit and urlparse accept domain names that included square brackets, which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs...

DEBIAN-CVE-2025-0938

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in...

GHSA-5325-XW5M-PHM3 Cross-site Scripting in ammonia

An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870...

CVE-2021-38193

An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870...

CVE-2021-38193

An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870...

Design/Logic Flaw

An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870...

CVE-2021-38193

CVE-2021-38193 : A cross-site scripting vulnerability exists in the ammonia crate for Rust, prior to version 3.1.0. The issue arises from mishandled parsing differences between HTML, SVG, and MathML, enabling an attacker to inject malicious scripts. The vulnerability is related to, and similar in...

CVE-2021-38193

An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870...