CVE-2026-45357

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart, leading to memory and render limit...

CVE-2026-45357 LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (strftime)

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart, leading to memory and render limit...

CVE-2026-45357

CVE-2026-45357 — LiquidJS date filter (strftime) DoS via unbounded width padding . In LiquidJS

libarchive: Buffer Overflow vulnerability in libarchive

A flaw was found in the libarchive package. Affected versions of libarchive do not check a strftime return value, which can lead to a denial of service or unspecified other impacts via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be...

Allocation of Resources Without Limits or Throttling

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the date filter in filters/date.ts and the strftime formatter in...

LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)

Summary The date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart in src/util/underscore.ts. The pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, so a...

GHSA-HH27-HF48-9F5Q LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)

Summary The date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad/padStart in src/util/underscore.ts. The pad loop performs unbounded string concatenation without consulting the Context's memoryLimit or renderLimit, so a...

PT-2026-44154

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0 Description An issue exists in the date filter's strftime implementation where width specifiers, such as %9999999d, are parsed and passed unchecked into the pad and padStart functions. In the...

CVE-2026-2241

A denial of service flaw was found in janet-lang. A local attacker can exploit a vulnerability in the osstrftime function by manipulating input, which causes an out-of-bounds read. This issue can lead to a Denial of Service DoS, making the system unresponsive or unavailable. Mitigation Mitigation...

SUSE CVE-2026-2241

A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function osstrftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is...

CVE-2026-2241

A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function osstrftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is...

CVE-2026-2241 janet-lang janet os.c os_strftime out-of-bounds

A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function osstrftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is...

Janet 缓冲区错误漏洞

Janet is a functional and imperative programming language and bytecode interpreter developed by Janet Language. Versions of Janet prior to 1.40.1 contained a buffer error vulnerability, which was caused by an out-of-bounds read in the osstrftime function, potentially leading to information leakag...

PT-2026-7121

A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function os strftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch i...

MiracleLinux 7 : glibc-2.17-196.el7 (AXSA:2017-2064:04)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2017-2064:04 advisory. The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as ...

MiracleLinux 7 : libarchive-3.1.2-14.0.2.el7.AXS7 (AXSA:2025-10751:03)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10751:03 advisory. CVE-2025-25724: fix buffer overflow vulnerability in libarchive CVEs: CVE-2025-25724 listitemverbose in tar/util.c in libarchive through 3.7.7 does not chec...

JLSEC-2025-243 list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value,...

listitemverbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custo...

[SECURITY] Fedora 43 Update: php-php81_bc-strftime-0.7.6-1.fc43

The strftime function has been marked as deprecated in PHP 8.1. This package provides a locale-formatted strftime implementation using IntlDateFormatter, for projects seeking an easy, backwards-compatible solution...

Fedora 43 : dokuwiki / php-php81_bc-strftime (2025-e6ce056923)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2025-e6ce056923 advisory. - Initial build for PHP81BC\strftime - Update DokuWiki to version 2025-05-14b Librarian Tenable has extracted the preceding description block directly from t...

[slackware-security] libarchive

New libarchive packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/libarchive-3.8.2-i586-1slack15.0.txz: Upgraded. This update contains security fixes and improvements: 7zip: Fix out of boundary...