5125 matches found
Uncontrolled Recursion
Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related...
Uncontrolled Recursion
Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to Uncontrolled...
EUVD-2026-24963
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbol...
CVE-2026-35365
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to...
CVE-2026-35358 uutils coreutils cp Semantic Loss and Potential Denial of Service with -R via Device Node Stream Reading
The cp utility in uutils coreutils, when performing recursive copies -R, incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are...
EUVD-2026-24957
A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI Extensible Firmware Interface device path node header. A local user could exploit this...
CVE-2026-6862
A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI Extensible Firmware Interface device path node header. A local user could exploit this...
Exploit for CVE-2026-26903
CVE-2026-26903 PoC Denial-of-service via unbounded recursio...
uutils coreutils 后置链接漏洞
uutils coreutils is a cross-platform core command-line toolset developed by Uutils. uutils coreutils has a post-installation link vulnerability, which arises from improper handling of directories containing symbolic links during the mv command’s file system boundary movement. This vulnerability m...
PT-2026-34501
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links during moves across filesystem boundaries. Instead of preserving symlinks, the implementation expands them, copying the linked targets as real files or directories at the destination. This can lead to...
PT-2026-34450
A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI Extensible Firmware Interface device path node header. A local user could exploit this...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via certificate chain validation logic. An attacker can cause a denial of service by supplying a crafted certificate chain that triggers excessive recursion or stack usage during validation, resulting in a stack...
CLSA-2026-1776783520 nodejs: Fix of 2 CVEs
CVE-2026-26996: fix ReDoS in bundled minimatch caused by consecutive non-globstar characters, by coalescing them during pattern compilation - CVE-2026-27904: fix ReDoS in bundled minimatch from nested extglobs and multiple non-adjacent wildcards, by limiting globstar recursion...
CLSA-2026-1776782592 nodejs: Fix of 2 CVEs
CVE-2026-26996: fix ReDoS in bundled minimatch caused by consecutive non-globstar characters, by coalescing them during pattern compilation - CVE-2026-27904: fix ReDoS in bundled minimatch from nested extglobs and multiple non-adjacent wildcards, by limiting globstar recursion...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the ExtractPluginFromImage function. An attacker can cause disk exhaustion by supplying a crafted container image containing a decompression bomb, which decompresses to an arbitrarily large file during plugin...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the ExtractPluginFromImage function. An attacker can cause disk exhaustion by supplying a crafted container image containing a decompression bomb, which decompresses to an arbitrarily large file during plugin...
CVE-2026-40324
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser Utf8GraphQLParser has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types...
SUSE-SU-2026:21237-1 Security update for the Linux Kernel
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2025-39998: scsi: target: targetcoreconfigfs: Add length check to avoid buffer overflow bsc1252073. - CVE-2025-40253: s390/ctcm: Fix double-kfree bsc1255084. -...
SUSE-SU-2026:21361-1 Security update for the Linux Kernel
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2025-39998: scsi: target: targetcoreconfigfs: Add length check to avoid buffer overflow bsc1252073. - CVE-2025-40253: s390/ctcm: Fix double-kfree bsc1255084. -...
SUSE-SU-2026:21352-1 Security update for the Linux Kernel
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2025-39998: scsi: target: targetcoreconfigfs: Add length check to avoid buffer overflow bsc1252073. - CVE-2025-40253: s390/ctcm: Fix double-kfree bsc1255084. -...