EUVD-2026-30359

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The...

CVE-2026-43861

A flaw was found in mutt, an email client. The urlpctdecode function, which is responsible for decoding URL-encoded strings, does not correctly handle null termination characters. This vulnerability could allow a remote attacker, to manipulate how URLs are processed, potentially leading to a...

EUVD-2026-26899

mutt before 2.3.2 does not check for '\0' in urlpctdecode...

PT-2026-36774

Name of the Vulnerable Software and Affected Versions mutt versions prior to 2.3.2 Description The software fails to check for the null character '0' within the url pct decode function. Recommendations Update to version 2.3.2 or later...

GHSA-72GR-QFP7-VWHW h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`

Summary The serveStatic utility in h3 applies a redundant decodeURI call to the request pathname after H3Event has already performed percent-decoding with %25 preservation. This double decoding converts %252e%252e into %2e%2e, which bypasses resolveDotSegments since it checks for literal...

Exploit for Path Traversal in Python Setuptools

CVE-2025-47273: Path Traversal in setuptools.packageindex...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read when decoding malformed Base64Url input. An attacker can cause a disruption of service. Remediation Upgrade Microsoft.NETCore.App.Runtime.win-x86 to version 9.0.14, 10.0.4 or higher. References - GitHub Commit - GitHu...

CVE-2026-29087

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...

CVE-2026-29045

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...

CVE-2026-29045

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections e.g. app.use'/admin/', ..., inconsistent URL decoding allowed protected static resources to be accessed without...

USN-8020-1: libsoup vulnerabilities

It was discovered that libsoup did not correctly handle certain URL-decoded input, which could allow for HTTP header injection. A remote attacker could possibly use this issue to cause a denial of service or execute arbitrary code. CVE-2026-1467, CVE-2026-1536 It was discovered that libsoup did n...

AZL-76398 CVE-2026-1467 affecting package libsoup 3.0.4-12

A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF Carriage Return Line Feed Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing ...

curl: CRLF Injection in Gopher Protocol (`lib/gopher.c`)

Control characters slip through during URL handling in curl’s Gopher setup. Though null bytes get blocked by the REJECTZERO setting, returns and line feeds remain permitted. A specially built address using percent-encoded breaks - like %0D%0A - opens room for command insertion. Because of how...

EUVD-2016-6051

Malware in sbrugna...

EUVD-2019-19209

Malware in sbrugna...

EUVD-2008-4340

Malware in sbrugna...

EUVD-2004-0707

Malware in sbrugna...

EUVD-2004-0189

Malware in sbrugna...

EUVD-2023-23425

Malicious code in bioql PyPI...

EUVD-2025-3090

Malicious code in bioql PyPI...