Lucene search
K

4075 matches found

CVE
CVE
added yesterday4 views

CVE-2026-58486

CVE-2026-58486: HedgeDoc prior to 1.11.0 is vulnerable to a YAML alias bomb in note frontmatter. HedgeDoc parses frontmatter with js-yaml.load (js-yaml v3) via @hedgedoc/meta-marked, resolving YAML anchors and potentially expanding a malicious payload into a huge object, consuming CPU on each req...

8.3CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added yesterday19 views

Kubernetes API Server - YAML Parsing DoS (Billion Laughs)

The Kubernetes API server is vulnerable to a denial of service attack via YAML/JSON parsing. An attacker can send a specially crafted YAML/JSON payload that causes exponential memory consumption Billion Laughs attack, leading to API server crash. id: CVE-2019-11253 info: name: Kubernetes API Serv...

7.5CVSS6.7AI score0.25939EPSS
Exploits2References3
NVD
NVD
added 2 days ago7 views

CVE-2026-15505

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS0.00195EPSS
Exploits0References4
CVE
CVE
added 2 days ago13 views

CVE-2026-15505

The CVE concerns vnotex vnote (up to version 3.20.1) where the YAML Frontmatter component exposes cross-site scripting via the file /src/data/extra/web/js/markdownit.js. The issue arises from manipulation of the argument p_metaData in the YAML Frontmatter code, which can potentially be exploited ...

5.1CVSS4.7AI score0.00195EPSS
Exploits0References4
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-43246

A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument pmetaData causes cross site scripting. The attack may be initiated remotely. The vendo...

5.1CVSS4.6AI score0.00195EPSS
Exploits0References4
NVD
NVD
added 4 days ago7 views

CVE-2026-44795

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading...

8.8CVSS0.01001EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43087

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pod...

7.5CVSS6.5AI score0.00615EPSS
Exploits0References11
CVE
CVE
added 4 days ago13 views

CVE-2026-55175

Spinnaker CVE-2026-55175 affects Rosco/Kustomize bake operations where unsafe YAML tag processing in rosco manifests can lead to remote code execution on rosco pods. Affected versions are prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 across release lines; fixes are available in 2026.1.1, 20...

7.5CVSS6.5AI score0.00615EPSS
Exploits0References11
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-55175 Spinnaker: Improper yaml processing on kustomize bake operations

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pod...

7.5CVSS0.00615EPSS
Exploits0References11
CVE
CVE
added 4 days ago19 views

CVE-2026-44795

CVE-2026-44795 affects Spinnaker (Cloud deployments/baking paths) where unsafe YAML processing bypasses safe deserialization via a non-safe constructor, enabling arbitrary Java class loading and remote code execution. Affected versions precede fixed releases and include 2026.1.0, 2026.0.3, 2025.4...

8.8CVSS6.3AI score0.01001EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-58493 grav-plugin-database: DSN Parameter Injection via Unsanitized Configuration Values in Connection String Construction

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory, and filename without sanitization or validation, allowing...

5.1CVSS0.00288EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-57343

Name of the Vulnerable Software and Affected Versions Spinnaker versions prior to 2026.1.1 Spinnaker versions prior to 2026.0.3 Spinnaker versions prior to 2025.4.4 Spinnaker versions prior to 2025.3.4 Description Unsafe YAML tag processing during Kustomize bake operations in rosco manifests can...

7.5CVSS6.5AI score0.00615EPSS
Exploits0References15
RedhatCVE
RedhatCVE
added 5 days ago6 views

CVE-2026-59868

A flaw was found in js-yaml, a JavaScript YAML parser and dumper. When merge keys are enabled, a remote attacker could exploit this vulnerability by crafting a YAML document where a chain of mappings uses merge keys, each merging the previous one. This can lead to a significant increase in CPU ti...

7.5CVSS6AI score0.00291EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 5 days ago6 views

CVE-2026-59870

A flaw was found in js-yaml, a JavaScript YAML YAML Ain't Markup Language parser. An attacker could exploit this by providing a specially crafted YAML ordered-map document. This could lead to excessive CPU consumption, resulting in a denial of service DoS for applications processing the malicious...

7.5CVSS5.9AI score0.00358EPSS
Exploits1References6
Snyk
Snyk
added 5 days ago5 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the path key in blobs.yaml. An attacker can write arbitrary files and exfiltrate sensitive information by supplying crafted input that causes traversal outside the intended directory. Details A Directory Traversa...

9.1CVSS7.3AI score0.00331EPSS
Exploits0References2
Snyk
Snyk
added 5 days ago4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the path key in blobs.yaml. An attacker can write arbitrary files and exfiltrate sensitive information by supplying crafted input that causes traversal outside the intended directory. Details A Directory Traversa...

9.1CVSS7.3AI score0.00331EPSS
Exploits0References2
CVE
CVE
added 5 days ago15 views

CVE-2026-47826

The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH CLI tool versions prior to v7.10.4...

9.1CVSS7.3AI score0.00331EPSS
Exploits0References1Affected Software1
Tenable Nessus
Tenable Nessus
added 5 days ago6 views

Linux Distros Unpatched Vulnerability : CVE-2026-59868

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js- yaml can spend quadratic CPU time parsing a document...

7.5CVSS6.1AI score0.00291EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 5 days ago2 views

Linux Distros Unpatched Vulnerability : CVE-2026-59870

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addIte...

7.5CVSS6.6AI score0.00358EPSS
Exploits1References2
Snyk
Snyk
added 6 days ago6 views

Inefficient Algorithmic Complexity

Overview js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the merge key handling during YAML parsing, where each mapping in a chain re-enumerates the keys inherited from the previous mapping. An...

8.2CVSS6.5AI score0.0035EPSS
Exploits2References2
Rows per page
Query Builder