CVE-2026-45729

A flaw was found in Thor Vector Graphics ThorVG, a vector graphics engine. A remote attacker could exploit this vulnerability by providing untrusted SVG Scalable Vector Graphics data. This could lead to a denial of service DoS, causing the application to crash and become unavailable. The...

CVE-2026-45729 ThorVG: Null pointer dereference in SVG loader causes crash via 6-byte malformed input

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

CVE-2026-45729

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

CVE-2026-45729

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

PT-2026-45537

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

ruby4.0-rubygem-thor-1.4.0-1.3 on GA media (moderate)

ruby4.0-rubygem-thor-1.4.0-1.3 on GA media Announcement ID: openSUSE-SU-2026:10366-1 Rating: moderate Cross-References: CVE-2025-54314 CVSS scores: CVE-2025-54314 SUSE : 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N CVE-2025-54314 SUSE : 2...

OPENSUSE-SU-2026:10366-1 ruby4.0-rubygem-thor-1.4.0-1.3 on GA media

These are all security issues fixed in the ruby4.0-rubygem-thor-1.4.0-1.3 package on the GA media of openSUSE Tumbleweed...

MiracleLinux 7 : rubygem-bundler-1.7.8-3.el7, rubygem-thor-0.19.1-1.el7 (AXSA:2015-789:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2015-789:01 advisory. rubygem-bundler Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably rubygem-thor Thor i...

EUVD-2018-1252

Malware in sbrugna...

EUVD-2017-12148

Malware in sbrugna...

EUVD-2019-17741

Malware in sbrugna...

EUVD-2025-21984

Malicious code in bioql PyPI...

CVE-2025-54314 affecting package rubygem-thor for versions less than 1.2.1-3

CVE-2025-54314 affecting package rubygem-thor for versions less than 1.2.1-3. A patched version of the package is available...

Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."

...

Low: ruby3.2

Issue Overview: Thor before 1.4.0 can construct an unsafe shell command from library input. CVE-2025-54314 Affected Packages: ruby3.2 Issue Correction: Run dnf update ruby3.2 --releasever 2023.8.20250808 or dnf update --advisory ALAS2023-2025-1124 --releasever 2023.8.20250808 to update your syste...

Amazon Linux 2023 : ruby3.2, ruby3.2-bundled-gems, ruby3.2-default-gems (ALAS2023-2025-1124)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1124 advisory. Thor before 1.4.0 can construct an unsafe shell command from library input. CVE-2025-54314 Tenable has extracted the preceding description block directly from the tested product security advisory. Note...

Command Injection

Thor is vulnerable to Command Injection. The vulnerability is due to unsafe command construction caused by the library forming shell commands directly from user-controlled input...

SUSE CVE-2025-54314

Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."...

OS Command Injection

Overview Affected versions of this package are vulnerable to OS Command Injection via the merge tool. An attacker can execute arbitrary commands by supplying crafted input that is improperly handled during the construction of commands. Remediation Upgrade thor to version 1.4.0 or higher. Referenc...

GHSA-MQCP-P2HV-VW6X Withdrawn Advisory: Thor can construct an unsafe shell command from library input.

Withdrawn Advisory This advisory has been withdrawn because the method described can only be used with arguments that are controlled by Thor, and an external attacker cannot access the functionality described in the body of the CVE. This link is maintained to preserve external references. Origina...