Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

Description Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear$prefix method inherited from AbstractAdapterTrait is documented to delete cache items whose key starts with $prefix. In the non-versioning code path, the caller-supplied $prefix is concatenated into...

GHSA-6QH9-H6WF-JGQC Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix

Description Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear$prefix method inherited from AbstractAdapterTrait is documented to delete cache items whose key starts with $prefix. In the non-versioning code path, the caller-supplied $prefix is concatenated into...

jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input

...

CVE-2026-33948 jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

CVE-2026-33762

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an...

GHSA-GM2X-2G9H-CCM8 go-git missing validation decoding Index v4 files leads to panic

Impact go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This...

GHSA-6PFH-P556-V868 pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: 1 Malicious ZIP entries containing ../ or absolute paths that escape the extraction root via AdmZip's...

CVE-2025-60671

A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823GV1.0.2B0520181207.bin in the timelycheck and sysconf binaries, which process the /var/system/linuxvlanreinit file. The vulnerability occurs because content read from this file is only partially validated for a...

EUVD-2015-8602

Malware in sbrugna...

Claude Code 路径遍历漏洞

Claude Code is an open source proxy coding tool from Anthropic. A path traversal vulnerability exists in versions of Claude Code prior to 0.2.111, which stems from path validation using prefix matching instead of canonical path comparison, which could lead to directory restriction bypass...

crash: mon_command crashes ceph monitors on receiving empty prefix

A flaw was found in the way handlecommand function would validate prefix value from user. An authenticated attacker could send a specially crafted prefix value resulting in ceph monitor crash...

crash: mon_command crashes ceph monitors on receiving empty prefix

A flaw was found in the way handlecommand function would validate prefix value from user. An authenticated attacker could send a specially crafted prefix value resulting in ceph monitor crash...