ROOT-APP-MAVEN-CVE-2024-36124 CVE-2024-36124 in io.root.org.iq80.snappy:snappy - Patched by Root

Root has patched CVE-2024-36124 in the io.root.org.iq80.snappy:snappy package for Root:Maven. Multiple fixed versions available...

Astra Linux – Vulnerability in snappy-java

Snappy-Java is a Java port of the snappy, a fast C++ compressor/decompressor developed by Google. It was found that the SnappyInputStream is vulnerable to Denial of Service DoS attacks when decompressing data with a too large chunk size. Due to a lack of a upper bound check on the chunk length, a...

ROOT-APP-MAVEN-CVE-2023-34454 CVE-2023-34454 in io.root.org.xerial.snappy:snappy-java - Patched by Root

Root has patched CVE-2023-34454 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2023-34453 CVE-2023-34453 in io.root.org.xerial.snappy:snappy-java - Patched by Root

Root has patched CVE-2023-34453 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2023-34455 CVE-2023-34455 in io.root.org.xerial.snappy:snappy-java - Patched by Root

Root has patched CVE-2023-34455 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2023-43642 CVE-2023-43642 in io.root.org.xerial.snappy:snappy-java - Patched by Root

Root has patched CVE-2023-43642 in the io.root.org.xerial.snappy:snappy-java package for Root:Maven. Multiple fixed versions available...

CVE-2026-46683

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0...

CVE-2026-46683 Snappy: SSRF and local file read via the xsl-style-sheet option

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0...

CVE-2026-46683 Snappy: SSRF and local file read via the xsl-style-sheet option

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0...

CVE-2026-46643 Snappy: Binary path is never shell-escaped due to an inverted is_executable check

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg‘/usr/bin/wkhtmltopdf’ returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. isexecutable then looks for a file...

EUVD-2026-36111

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg‘/usr/bin/wkhtmltopdf’ returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. isexecutable then looks for a file...

CVE-2026-46643

CVE-2026-46643 affects KnLplabs Snappy (knplabs/knp-snappy) on POSIX, where escapeshellarg('/usr/bin/wkhtmltopdf') may still leave $command unescaped due to a faulty is_executable check. This allows command execution when the binary path is influenced by user input or environment data, as the saf...

netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

Snappy 代码问题漏洞

Snappy is a PHP library developed by KNP Labs’ individual developers. It allows for the generation of thumbnails, snapshots, or PDFs from URLs or HTML pages. Versions of Snappy prior to 1.7.0 contained code vulnerabilities. These vulnerabilities stemmed from the xsl-style-sheet option, which coul...

Snappy 操作系统命令注入漏洞

Snappy is a PHP library developed by KNP Labs’ individual developers. It allows for the generation of thumbnails, snapshots, or PDFs from URLs or HTML pages. Prior to Snappy 1.7.1, there was a vulnerability related to operating system command injection. This vulnerability stemmed from the...

CVE-2026-42587

A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...

CVE-2026-42154

A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint /api/v1/read by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service DoS...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the constructor when the binary path is sourced from user-influenced configuration, environment variables derived from request data, or concatenated with user-controlled fragments. An attacker can execute arbitrary...

GHSA-VPR4-P6FQ-85JC Snappy: Binary path is never shell-escaped due to an inverted is_executable check

Impact On POSIX, escapeshellarg‘/usr/bin/wkhtmltopdf’ returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. isexecutable then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and...