Malicious Package

Overview syntax-async-generators is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax

SUMMARY ABB became aware of vulnerability in the products versions listed as affected in the advisory. An update is available that resolves publicly reported vulnerability. An attacker who successfully exploited these vulnerabilities could cause a crash, denial-of-service DoS, or potentially...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: raptor2 (UTSA-2026-006052)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006052 advisory. In Raptor RDF Syntax Library through 2.0.16, there is a heap-based buffer over-read when parsing triples with the nquads parser in raptorntriplesparseterminternal...

CVE-2026-32094

Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like...

Shescape 信息泄露漏洞

Shescape is a simple shell escape program developed by Eric Cornelissen. Versions of Shescape prior to 2.1.10 contained an information leakage vulnerability. This vulnerability stemmed from unescaped bracket wildcard syntax, which could allow attacker-controlled parameters to expand into multiple...

Denial Of Service (DoS)

xgrammar is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of multi-level nested syntax, which can trigger a segmentation fault and crash the application...

GHSA-7RGV-GQHR-FXG3 xgrammar vulnerable to DoS via multi-layer nesting

Summary The multi-level nested syntax caused a segmentation fault core dump. Details A trigger stack overflow or memory exhaustion was caused by constructing a malicious grammar rule containing 30,000 layers of nested parentheses. PoC !/usr/bin/env python3 """ XGrammar - Math Expression Generatio...

EUVD-2026-9830

xgrammar vulnerable to DoS via multi-layer nesting...

CVE-2026-25048

xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault core dumped. This issue has been patched in version 0.1.32...

CVE-2026-25048

xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault core dumped. This issue has been patched in version 0.1.32...

PT-2026-23453

Name of the Vulnerable Software and Affected Versions xgrammar versions prior to 0.1.32 Description xgrammar, an open-source library for structured generation, experienced a segmentation fault due to multi-level nested syntax in versions prior to 0.1.32. This issue can lead to a denial-of-service...

XGrammar 安全漏洞

XGrammar is a fast, flexible, and portable structured generation tool open source by mlc-ai. Versions of XGrammer before 0.1.32 have security vulnerabilities, which are caused by multi-level nested syntax leading to segmentation errors...

PT-2026-23090

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.4 Description The changedetection.io application allows users to specify XPath expressions as content filters via the include filters field. These XPath expressions are processed using the elementpath...

GHSA-7GCC-R8M5-44QM Koa has Host Header Injection via ctx.hostname

Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...

Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary Multiple components with known vulnerabilities were addressed in IBM QRadar SIEM 7.5.0 UP14 IF05 Vulnerability Details CVEID:CVE-2025-68615 DESCRIPTION: net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-sn...

CLSA-2026-1772039226 golang: Fix of 2 CVEs

CVE-2025-61726: limit parsed URL query parameters to mitigate excessive memory consumption during form parsing - CVE-2025-61732: prevent cgo code smuggling by removing user-controlled content from documentation strings in generated ASTs...

GHSA-MXHJ-88FX-4PCV Fickling: OBJ opcode call invisibility bypasses all safety checks

Assessment The interpreter so it behaves closer to CPython when dealing with OBJ, NEWOBJ, and NEWOBJEX opcodes https://github.com/trailofbits/fickling/commit/ff423dade2bb1f72b2b48586c022fac40cbd9a4a. Original report Summary All 5 of fickling's safety interfaces -- islikelysafe, checksafety, CLI...

openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap

A flaw was found in the OpenSSL CMS implementation RFC 3211 KEK Unwrap. This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption PWRI...

Unity Linux 20.1060e / 20.1070e Security Update: wireshark (UTSA-2026-005360)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005360 advisory. In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ASN.1 BER dissector and related dissectors could crash. This was addressed in epan/asn1.c by...

[SECURITY] Fedora 42 Update: python-pyasn1-0.6.2-1.fc42

This is an implementation of ASN.1 types and codecs in the Python programming language...