EUVD-2026-36265

tmp: Type-confusion bypass of assertPath allows path traversal via non-string prefix/postfix/template...

CVE-2026-8723

Summary qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options skipNulls, strictNullHandling. Details In the comma + encodeValuesOnly...

GHSA-QX2V-QP2M-JG93 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

PostCSS: XSS via Unescaped in CSS Stringify Output Summary PostCSS v8.5.5 latest does not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS values breaks out of the style context, enabling XSS. Proof of Concept...

Cross-site Scripting (XSS)

Overview org.webjars.npm:postcss is a PostCSS is a tool for transforming styles with JS plugins. Affected versions of this package are vulnerable to Cross-site Scripting XSS in CSS Stringify Output. An attacker can execute arbitrary JavaScript code in the context of the affected web page by...

CVE-2026-41305 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

PostCSS 跨站脚本漏洞

PostCSS is an open-source style transformation tool developed by PostCSS. Versions of PostCSS prior to 8.5.10 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of escaping of the sequence during CSS stringification using the CSS AST. As a result, when the...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

DEBIAN-CVE-2025-0649

Incorrect JSON input stringification in Google's Tensorflow serving versions up to 2.18.0 allows for potentially unbounded recursion leading to server crash...

CVE-2025-0649

Incorrect JSON input stringification in Google's Tensorflow serving versions up to 2.18.0 allows for potentially unbounded recursion leading to server crash...

CVE-2025-0649

Removed by vendor...

PT-2024-40574 · Poco · Poco

Name of the Vulnerable Software and Affected Versions: Poco affected versions not specified Description: The issue is related to a crash caused by the use of an uninitialized value. The crash occurs in the Poco::Dynamic::Var destructor and is associated with the Poco::JSON::Object::doStringify...

OPENSUSE-SU-2023:0225-1 Security update for perl-Cpanel-JSON-XS

This update for perl-Cpanel-JSON-XS fixes the following issues: perl-Cpanel-JSON-XS was updated to 4.36 see /usr/share/doc/packages/perl-Cpanel-JSON-XS/Changes 4.36 2023-03-02 rurban - remove the SAVESTACKPOS noop. Merged from JSON-XS-3.02, removed there with 4.0. requested to remove with L 4.35...

VulnCheck KEV: CVE-2021-38003

Google Chromium V8 Engine has a bug in JSON.stringify, where the internal TheHole value can leak to script code, causing memory corruption. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera...