11 matches found
CVE-2026-0540
A cross site scripting flaw has been discovered in the DOMPurify npm library. This flaw allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements noscript, xmp, noembed, noframes, iframe in the SAFEFORXML regex. Attackers can include payloads like in attribute...
CVE-2026-24675
A heap buffer use after free has been discovered in FreeRDP. urbselectinterface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusbudevselectinterface. Mitigation Mitigation for this issue is either not available or the currently...
CVE-2026-24006
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in...
CVE-2025-67636
A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product...
CVE-2025-66552
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the adminaudit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed ...
CVE-2025-60360
radare2 v5.9.8 and before contains a memory leak in the function r2rsubprocessinit. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread...
CVE-2025-58782
A Deserialization of Untrusted Data vulnerability has been discovered in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution...
CVE-2025-41242
A path traversal flaw was found in the Spring Framework MVC, affecting applications built on this framework. This flaw only affects applications that are deployed as a WAR or with an embedded Servlet container, which do not reject suspicious sequences and serve static resources with Spring resour...
CVE-2025-9019
A flaw was found in tcpreplay. The maskcidr6 function in cidr.c contains a heap-based buffer overflow triggered by manipulation of network packets. A remote attacker can initiate the overflow by providing a specially crafted packet. This buffer overflow can lead to an application level denial of...
CVE-2025-8879
A flaw was found in chromium-browser. A heap buffer overflow exists within the libaom library, allowing a remote attacker to potentially trigger heap corruption through a crafted sequence of gestures. This vulnerability allows an attacker to manipulate memory via a specially designed input. The...
CVE-2025-8863
YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deploymen...