236 matches found
GHSA-6QH9-H6WF-JGQC Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
Description Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear$prefix method inherited from AbstractAdapterTrait is documented to delete cache items whose key starts with $prefix. In the non-versioning code path, the caller-supplied $prefix is concatenated into...
GHSA-7CM9-V848-CFH2 CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List
Summary The blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other...
GHSA-J3W3-P6MR-3HRH DynFuture Drop Can Construct a Dangling Reference
DynFuture is unsound because its Drop implementation transmutes a trait-object reference into unrelated reference types, which constructs an invalid reference from trait object metadata. This issue was reproduced against dyn-future 3.0.4 under Miri. The crate is unmaintained...
DynFuture Drop Can Construct a Dangling Reference
DynFuture is unsound because its Drop implementation transmutes a trait-object reference into unrelated reference types, which constructs an invalid reference from trait object metadata. This issue was reproduced against dyn-future 3.0.4 under Miri. The crate is unmaintained...
CVE-2026-33491
Zen C compiler before v0.4.4 is vulnerable to a stack-based buffer overflow in identifier mangling. A specially crafted Zen C source (.zc) with excessively long struct, function, or trait identifiers can cause a compiler crash or potentially allow arbitrary code execution. The issue affects Zen C...
CVE-2026-26267
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the contractimpl macro contains a bug in how it wires up function calls. contractimpl generates code that uses MyContract::value style calls even when it's processing the trait version. This means if a...
CVE-2026-26267
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the contractimpl macro contains a bug in how it wires up function calls. contractimpl generates code that uses MyContract::value style calls even when it's processing the trait version. This means if a...
CVE-2026-26267
The CVE-2026-26267 issue affects soroban-sdk-macros prior to versions 22.0.10, 23.5.2, and 25.1.1. The macro’s trait-implementation wiring can cause the generated call to resolve to an inherent function (MyContract::value) instead of the trait function when an identically named inherent function ...
CVE-2026-26267 rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the contractimpl macro contains a bug in how it wires up function calls. contractimpl generates code that uses MyContract::value style calls even when it's processing the trait version. This means if a...
CVE-2026-26267 rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the contractimpl macro contains a bug in how it wires up function calls. contractimpl generates code that uses MyContract::value style calls even when it's processing the trait version. This means if a...
CVE-2026-26267 rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the contractimpl macro contains a bug in how it wires up function calls. contractimpl generates code that uses MyContract::value style calls even when it's processing the trait version. This means if a...
GHSA-4CHV-4C6W-W254 The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
Impact The contractimpl macro contains a bug in how it wires up function calls. In Rust, you can define functions on a type in two ways: - Directly on the type as an inherent function: rust impl MyContract fn value ... - Through a trait rust impl Trait for MyContract fn value ... These are two...
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
Impact The contractimpl macro contains a bug in how it wires up function calls. In Rust, you can define functions on a type in two ways: - Directly on the type as an inherent function: rust impl MyContract fn value ... - Through a trait rust impl Trait for MyContract fn value ... These are two...
PT-2026-20342
Name of the Vulnerable Software and Affected Versions soroban-sdk-macros versions prior to 22.0.10 soroban-sdk-macros versions prior to 23.5.2 soroban-sdk-macros versions prior to 25.1.1 Description The contractimpl macro in soroban-sdk-macros has a flaw in how it manages function calls. When...
RUSTSEC-2026-0079 `DynFuture` drop can construct a dangling reference
DynFuture is unsound because its Drop implementation transmutes a trait-object reference into unrelated reference types, which constructs an invalid reference from trait object metadata. This issue was reproduced against dyn-future 3.0.4 under Miri. And the crate is unmaintained...
`DynFuture` drop can construct a dangling reference
DynFuture is unsound because its Drop implementation transmutes a trait-object reference into unrelated reference types, which constructs an invalid reference from trait object metadata. This issue was reproduced against dyn-future 3.0.4 under Miri. And the crate is unmaintained...
📄 Laravel Pulse 1.3.1 Arbitrary Code Injection
Proof of concept exploit written in PHP for Laravel Pulse version 1.3.1. This version of Laravel Pulse suffers from an arbitrary code injection vulnerability...
rustls-pemfile is unmaintained
The rustls-pemfile crate is no longer maintained. The repository has been archived since August 2025, and users are encouraged to depend directly on the underlying PEM parsing code included in rustls-pki-types since 1.9.0. The latest version of rustls-pemfile is in fact a thin wrapper around the...
[SECURITY] Fedora 41 Update: rust-get-size-derive2-0.7.1-1.fc41
Derives the GetSize trait...
[SECURITY] Fedora 42 Update: rust-get-size-derive2-0.7.1-1.fc42
Derives the GetSize trait...