1787 matches found
PHP Login System 2.0.1 - Cross-Site Scripting
msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL id: CVE-2023-38875 info...
jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass
A flaw was found in jackson-databind. This vulnerability allows a remote attacker to bypass the PolymorphicTypeValidator PTV when polymorphic typing is enabled and a type identifier contains generic parameters. By crafting a malicious type ID, an attacker can place a denied class as a generic typ...
CVE-2026-59887
The CVE concerns the linkify-it library. The mailto: schema validator (used by .test()/.match()) could, before version 5.0.2, be invoked for each mailto occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption (DoS) on crafted text. Impact is hi...
CVE-2026-59887 linkify-it: Quadratic-complexity DoS via the `mailto:` validator scan-loop on attacker text
linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test and .match can be invoked at every mailto: occurrence and scan the remaining input through srcemailname in lib/re.mjs, causing On^2 CPU consumption on crafted user text...
CVE-2026-53878 Header injection possibility since DomainNameValidator accepted newlines in input
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...
EUVD-2026-42045
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...
CVE-2026-53878
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...
CVE-2026-53878
CVE-2026-53878 affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The issue lies in DomainNameValidator not prohibiting newlines in domain names, which can enable header injection if an application places such values in an HTTP response. Django itself remains unaffected because HttpResponse b...
CVE-2026-53878
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...
PT-2026-56197
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...
OPENSUSE-SU-2026:11192-1 python313-openapi-spec-validator-0.9.0-1.1 on GA media
These are all security issues fixed in the python313-openapi-spec-validator-0.9.0-1.1 package on the GA media of openSUSE Tumbleweed...
GHSA-GF9R-M956-97QX zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser
Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate. All default configurations are affected. No feature flags, non-default settings, or...
Malicious code in dt-validator (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0dd6dc392ad68861c938e7798773adf5359c835743e711a834d84221b481bdf The package's top-level public API dtvalidator.validate — colocated in all with legitimate helpers validateextension, validatesize, and...
CVE-2026-8147 Authorization Bypass in mlflow/mlflow
In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying trac...
EUVD-2026-40453
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree AST security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module...
BIT-ENVOY-2026-47778 Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .cstr before bei...
CVE-2026-56777
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree AST security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module...
CVE-2026-56777 n8n - AST Validator Bypass in Python Code Node
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree AST security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module...
CVE-2026-56777
The CVE affects n8n self‑hosted instances running Python Task Runner with the Python Code node. Versions affected: before 2.25.7 and before 2.26.2. Issue: AST security validator bypass in Python Code node allows an authenticated user with workflow modification rights to bypass the validator and a...
CVE-2026-54512
A flaw was found in jackson-databind. This vulnerability allows a remote attacker to bypass the PolymorphicTypeValidator PTV when polymorphic typing is enabled and a type identifier contains generic parameters. By crafting a malicious type ID, an attacker can place a denied class as a generic typ...