Orval has Code Injection via unsanitized x-enum-descriptions using JS comments

CVE-2026-23947 had an incomplete fix While the current jsStringEscape function properly handles single quotes ', double quotes " and other characters, it fails to sanitize and / characters. This allows attackers to break out of JavaScript comment blocks using / sequences and inject arbitrary code...

CLEANSTART-2026-PB78859 ParseAddress function constructs domain-literal address components through repeated string concatenation

Multiple security vulnerabilities affect the kubevela package. The ParseAddress function constructs domain-literal address components through repeated string concatenation. See references for individual vulnerability details...

CLEANSTART-2026-NF19624 ParseAddress function constructs domain-literal address components through repeated string concatenation

Security vulnerability affects the timoni package. The ParseAddress function constructs domain-literal address components through repeated string concatenation...

CLEANSTART-2026-TY78539 ParseAddress function constructs domain-literal address components through repeated string concatenation

Multiple security vulnerabilities affect the go-fips-1.24 package. The ParseAddress function constructs domain-literal address components through repeated string concatenation. See references for individual vulnerability details...

CLEANSTART-2026-VS64679 ParseAddress function constructs domain-literal address components through repeated string concatenation

Multiple security vulnerabilities affect the go-fips-1.24 package. The ParseAddress function constructs domain-literal address components through repeated string concatenation. See references for individual vulnerability details...

CVE-2026-1687

A weakness has been identified in Tenda HG10 USHG7HG9HG10re300001138enxpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack...

EUVD-2026-5022

A weakness has been identified in Tenda HG10 USHG7HG9HG10re300001138enxpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack...

CLEANSTART-2026-ER42900 ParseAddress function constructs domain-literal address components through repeated string concatenation

Multiple security vulnerabilities affect the external-dns-fips package. The ParseAddress function constructs domain-literal address components through repeated string concatenation. See references for individual vulnerability details...

CLEANSTART-2026-PK92575 ParseAddress function constructs domain-literal address components through repeated string concatenation

Security vulnerability affects the wazero package. The ParseAddress function constructs domain-literal address components through repeated string concatenation...

CVE-2025-69929

An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format...

EspoCRM-Admin-Extension-Upload-RCE-

EspoCRM 9.2.7 Administrator Remote Code Execution Vulnerabilit...

CVE-2025-69929

An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format...

CVE-2025-69929

An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format...

CVE-2025-63651

A use-after-free in the mkstringcharsearch function mkcore/mkstring.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted HTTP request to the server...

AZL-76457 CVE-2025-63651 affecting package fluent-bit 3.0.6-6

A use-after-free in the mkstringcharsearch function mkcore/mkstring.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted HTTP request to the server...

CVE-2025-62514 `libparsec_crypto` does not check for weak order point of curve 25519

Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, libparseccrypto, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means ...

Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure)

Summary The Unfurl web app enables Flask debug mode even when configuration sets debug = False. The config value is read as a string and passed directly to app.rundebug=..., so any non-empty string evaluates truthy. This leaves the Werkzeug debugger active by default. Details - unfurl/app.py:weba...

GHSA-VG9H-JX4V-CWX2 Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure)

Summary The Unfurl web app enables Flask debug mode even when configuration sets debug = False. The config value is read as a string and passed directly to app.rundebug=..., so any non-empty string evaluates truthy. This leaves the Werkzeug debugger active by default. Details - unfurl/app.py:weba...

CLSA-2026-1769697509 glib2: Fix of CVE-2025-13601

CVE-2025-13601: fix incorrect buffer size calculation in gescapeuristring...

CVE-2025-63651

A use-after-free in the mkstringcharsearch function mkcore/mkstring.c of monkey commit f37e984 allows attackers to cause a Denial of Service DoS via sending a crafted HTTP request to the server...