CVE-2026-41889

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a...

EUVD-2026-28805

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a...

CVE-2026-41889

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a...

CVE-2026-41693

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

CVE-2026-41507 Remote Code Execution (RCE) via String Literal Injection into math-codegen

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the...

CVE-2026-41507

CVE-2026-41507 affects math-codegen. Prior to 0.4.3, string literals passed to cg.parse() are injected into a new Function() body without sanitization, enabling attacker-controlled input to execute arbitrary system commands and potentially achieve full RCE when user input reaches the parser. The ...

CVE-2026-41507 Remote Code Execution (RCE) via String Literal Injection into math-codegen

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the...

cyrus-sasl: Fix of CVE-2019-19906

CVE-2019-19906: fix off-by-one in sasladdstring lib/common.c that could cause denial of service or information disclosure via crafted input...

CLSA-2026-1778174671 cyrus-sasl: Fix of CVE-2019-19906

CVE-2019-19906: fix off-by-one in sasladdstring lib/common.c that could cause denial of service or information disclosure via crafted input...

CLSA-2026-1776163577 ncurses: Fix of CVE-2025-69720

CVE-2025-69720: add a limit-check in infocmp -i option's analyzestring function to prevent stack-based buffer overflow from upstream ncurses 6.5 patchlevel 20251213...

CLSA-2026-1778174719 Fix CVE(s): CVE-2026-40684

SECURITY UPDATE: Crash via malformed DNS response on musl libc systems - debian/patches/CVE-2026-40684.patch: handle musl libc dnexpand backslash-decimal escape oddity in stringcopydnsdomain - CVE-2026-40684...

SUSE CVE-2026-42216

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init reconstructs strings from a prefix-compressed...

CVE-2026-29975

CVE-2026-29975 affects lwjson 1.8.1. The vulnerability is in the streaming JSON parser (lwjson_stream.c): end-of-string detection incorrectly checks only the immediately preceding character for escapes, instead of counting consecutive backslashes. This can cause valid JSON strings ending with an ...

CVE-2026-29975

lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser lwjsonstream.c. The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causin...

PT-2026-39144

Name of the Vulnerable Software and Affected Versions lwjson version 1.8.1 Description Improper input validation in the streaming JSON parser lwjson stream.c occurs because the end-of-string detection logic incorrectly identifies escaped quote characters. The system only checks the immediately...

Lightweight JSON text parser 安全漏洞

Lightweight JSON Text Parser is a lightweight JSON text parsing library developed by Tilen Majerle. Version 1.8.1 of Lightweight JSON Text Parser has a security vulnerability. This vulnerability stems from a logical error in the string termination detection mechanism of the streaming JSON parser,...

math-codegen 代码注入漏洞

Math-CodeGen is an interpreter developed by Mauricio Poppe that generates JavaScript code from mathematical expressions. Versions of Math-CodeGen prior to 0.4.3 contained a code injection vulnerability. This vulnerability stemmed from the cg.parse function not properly cleaning string literal...

PT-2026-38867

A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be writte...

Ruby net-imap < 0.4.24 / 0.5.x < 0.5.14 / 0.6.x < 0.6.4 Multiple Vulnerabilities

The version of the net-imap Ruby library installed on the remote host is prior to 0.4.24, 0.5.x prior to 0.5.14, or 0.6.x prior to 0.6.4. It is, therefore, affected by multiple vulnerabilities. - The Net::IMAP::ResponseReader component is affected by a quadratic time complexity flaw when parsing...

CVE-2026-39820

CVE-2026-39820 relates to the Go net/mail package, specifically a quadratic string concatenation in the consumeComment path. This root cause can cause excessive CPU usage and memory allocations when parsing crafted inputs through functions like ParseAddress, ParseAddressList, and ParseDate. The p...