Lucene search
K

74 matches found

Github Security Blog
Github Security Blog
added 2026/06/23 9:24 p.m.7 views

jackson-databind has @JsonView bypass for setterless creator properties

Summary In BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInViewactiveView check. A change making SetterlessProperty.isMerging return true routed setterless...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References6Affected Software2
OSV
OSV
added 2026/06/23 9:17 p.m.5 views

DEBIAN-CVE-2026-54514

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.12 views

PT-2026-51067

Name of the Vulnerable Software and Affected Versions Oj versions prior to 3.17.3 Description When Oj::Doceach child is invoked recursively over a deeply nested JSON document, it can cause a fixed-size stack buffer overflow, leading to a denial of service DoS that aborts the process. This occurs...

7.5CVSS6AI score
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.9 views

CVE-2026-45152

uniget is a universal installer and updater for container tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without...

7.8CVSS6.3AI score0.00715EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/06/04 2:30 a.m.12 views

SUSE CVE-2026-9334

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...

8.1CVSS5.8AI score0.00263EPSS
Exploits0References3
NVD
NVD
added 2026/06/03 1:16 a.m.15 views

CVE-2026-9334

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...

7.3CVSS0.00263EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/03 12:15 a.m.9 views

CVE-2026-9334 Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...

5.8AI score0.00263EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/03 12:15 a.m.12 views

EUVD-2026-34060

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...

7.3CVSS5.8AI score0.00263EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/03 12:15 a.m.38 views

CVE-2026-9334 Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled

Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeysasarrayref is enabled. decodehv collapses duplicate object keys into an array reference under dupkeysasarrayref. The branch reached for a duplicate key tests SvTYPE oldvalue != SVtRV && SvTYP...

0.00263EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/18 7:59 p.m.13 views

CVE-2026-8656

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting XSS via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM,...

6.1CVSS5.8AI score0.00191EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/16 5:0 a.m.7 views

CVE-2026-8656

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting XSS via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM,...

6.1CVSS5.8AI score0.00191EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/16 5:0 a.m.50 views

CVE-2026-8656

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting XSS via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM,...

6.1CVSS0.00191EPSS
Exploits0References3
CVE
CVE
added 2026/05/16 5:0 a.m.17 views

CVE-2026-8656

CVE-2026-8656 affects jsondiffpatch versions before 0.7.6. The vulnerability is Cross-site Scripting (XSS) via the annotated formatter caused by improper sanitization of JSON values and property names. When an application renders annotated formatter output in the DOM from untrusted JSON/object da...

6.1CVSS5.8AI score0.00191EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/16 12:0 a.m.16 views

PT-2026-41421

Name of the Vulnerable Software and Affected Versions jsondiffpatch versions prior to 0.7.6 Description Improper sanitization of JSON values and property names in the annotated formatter allows for Cross-site Scripting XSS. This occurs when an application compares untrusted JSON or object data an...

6.1CVSS5.8AI score0.00191EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/05/09 12:0 a.m.8 views

Unity Linux 20.1050e / 20.1070e Security Update: python-PyMySQL (UTSA-2026-017341)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017341 advisory. PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escapedict. Tenable has extracted the preceding...

6.3CVSS5.9AI score0.00691EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/13 11:51 p.m.33 views

CVE-2026-33948 jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

6.3CVSS0.00256EPSS
Exploits1References2
Debian CVE
Debian CVE
added 2026/04/13 11:51 p.m.4 views

CVE-2026-33948

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen to determine buffer length instead of the actual byte...

6.3CVSS5.6AI score0.00256EPSS
Exploits1
Snyk
Snyk
added 2026/02/19 8:44 p.m.4 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:pannellum is a lightweight, free, and open source panorama viewer for the web. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the attributes configuration property in hot spots. An attacker can execute arbitrary JavaScript code by supplyi...

6.1CVSS5.9AI score0.00319EPSS
Exploits0References2
OSV
OSV
added 2026/02/19 8:44 p.m.4 views

GHSA-8423-W5WX-H2R6 Pannellum has a XSS vulnerability in hot spot attributes

Impact The hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files bypassing the...

5.3CVSS6.2AI score0.00319EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.8 views

MiracleLinux 8 : python3.11-PyMySQL-1.0.2-2.el8_10 (AXSA:2024-8537:01)

The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-8537:01 advisory. python-pymysql: SQL injection if used with untrusted JSON input CVE-2024-36039 Tenable has extracted the preceding description block directly from the...

6.3CVSS5.9AI score0.00691EPSS
Exploits1References2
Rows per page
Query Builder