728236 matches found
EUVD-2026-37827
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart, leading to memory and render limit...
CVE-2026-45357 LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (strftime)
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart, leading to memory and render limit...
CVE-2026-45357
CVE-2026-45357 — LiquidJS date filter (strftime) DoS via unbounded width padding . In LiquidJS
CVE-2026-45357 LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (strftime)
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart, leading to memory and render limit...
CVE-2026-50200
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the Sanitizer component in the Environment actuator...
CVE-2026-54386
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
EUVD-2026-37823
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in striphtml filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many script...
CVE-2026-45617 LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in striphtml filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many script...
CVE-2026-45617
CVE-2026-45617 affects LiquidJS, where the built‑in strip_html filter in versions 10.25.7 and earlier uses a backtracking regex that causes severe CPU backpressure (ReDoS) on inputs with unclosed [removed], , or
CVE-2026-45617 LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in striphtml filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many script...
Malicious code in ai-chat-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39a12d35a8713a8f63eaf342901214a7f53fa396b9ee8218d246e5e0db7b6318 collect.js performs system reconnaissance and exfiltration to a hardcoded attacker-controlled host. The script imports childprocess, os, fs, http, an...
MAL-2026-6086 Malicious code in ai-chat-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39a12d35a8713a8f63eaf342901214a7f53fa396b9ee8218d246e5e0db7b6318 collect.js performs system reconnaissance and exfiltration to a hardcoded attacker-controlled host. The script imports childprocess, os, fs, http, an...
CVE-2026-50268
In Steeltoe, the OAEP misconfiguration affects the package Steeltoe.Configuration.Encryption 4.0.0–4.1.0, where setting encrypt:rsa:algorithm=OAEP does not enable OAEP due to an incorrect BouncyCastle transformation string. As a result, OAEP is effectively PKCS#1 v1.5 padding, the same as DEFAULT...
EUVD-2026-37821
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle...
CVE-2026-50268 Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle...
CVE-2026-50268 Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle...
Malicious code in @hotcappuccino/nodepull (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99 @hotcappuccino/[email protected] ships a single index.js the package's declared main that is wrapped in an obfuscator.io string-array +...
MAL-2026-6085 Malicious code in @hotcappuccino/nodepull (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99 @hotcappuccino/[email protected] ships a single index.js the package's declared main that is wrapped in an obfuscator.io string-array +...
EUVD-2026-37815
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the striphtml filter logic. The striphtml filter is intended to remove HTML tags from a string before rendering, and is widely used as an XS...
CVE-2026-44644 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the striphtml filter logic. The striphtml filter is intended to remove HTML tags from a string before rendering, and is widely used as an XS...