206304 matches found
CVE-2026-45416
A flaw was found in Netty, a network application framework. A remote attacker can exploit this vulnerability by sending a crafted TLS Transport Layer Security ClientHello message. This can lead to an eager allocation of a large memory buffer, causing a Denial of Service DoS due to excessive memor...
CVE-2026-44890
A flaw was found in netty-codec-redis. A remote attacker can exploit this vulnerability by sending specially crafted Redis payloads across multiple connections without proper termination. This can exhaust the server's direct memory pool, leading to a Denial of Service DoS condition where legitima...
CVE-2026-44250
A flaw was found in netty-codec-redis. A remote attacker can exploit this vulnerability by sending a specially crafted Redis payload containing deeply nested arrays. This action forces the server to allocate a large number of state objects and collections, leading to memory exhaustion...
CVE-2026-12216
A flaw was found in Duktape. A local attacker can exploit this vulnerability by manipulating the countinstr argument in dukapibytecode.c, leading to memory corruption. This could result in a denial of service or other impacts due to compromised memory integrity. Mitigation Mitigation for this iss...
CVE-2026-11816
A flaw was found in Keras. Attackers can exploit a path traversal vulnerability in the archive extraction utilities, specifically filtersafetarinfos and filtersafezipinfos. This occurs because the validation of archive member paths is performed against the process's current working directory CWD...
CVE-2026-35058
A flaw was found in OpenVPN. This vulnerability, caused by improper validation of packet length during tls-crypt-v2 key extraction, allows an authenticated attacker to send a specially crafted packet. Successful exploitation can trigger a fatal assertion, leading to a denial of service DoS...
CVE-2026-42535
A flaw was found in the moddavfs module of Apache HTTP Server. A WebDAV Web Distributed Authoring and Versioning content author could exploit a path handling issue to directly manipulate trusted DAV property databases. This manipulation could potentially lead to child process crashes, resulting i...
CVE-2026-54055
A flaw was found in Kitty, a cross-platform GPU-based terminal. A local attacker, specifically a child process running within the terminal, can exploit a Time-of-Check-Time-of-Use TOCTOU race condition in the file transmission protocol. This allows the attacker to create a symbolic link between a...
CVE-2026-45673
A flaw was found in Netty's DNS resolver component. This vulnerability arises from the use of a predictable pseudo-random number generator PRNG for DNS transaction IDs and a static User Datagram Protocol UDP source port. This combination significantly reduces the randomness of DNS queries, making...
CVE-2026-54057
A flaw was found in Kitty, a cross-platform GPU-based terminal. An input sanitization vulnerability in Kitty's OSC 21 color-control query reply allows an attacker to inject controlled bytes, including newlines, directly into the shell's input. This could enable an attacker to execute arbitrary co...
CVE-2026-44894
A flaw was found in Netty, specifically within the netty-codec-classes-quic component's NoQuicTokenHandler. A remote attacker can exploit this vulnerability by sending an Initial packet with any non-empty token bytes and a spoofed victim's IP address. This improper token validation causes the Net...
CVE-2026-54056
A flaw was found in Kitty, a cross-platform GPU based terminal. A remote attacker can exploit a vulnerability in the kitten dnd feature by sending a specially crafted drag-and-drop request. This allows the attacker to overwrite or truncate arbitrary files on the local system that are writable by...
CVE-2026-48059
A flaw was found in the Netty HAProxy PROXY protocol v2 codec. A remote attacker can exploit this vulnerability by sending a specially crafted HAProxy PROXY protocol v2 header with nested PP2TYPESSL type-length-value TLV records. This can lead to a memory leak, causing the underlying cumulation...
CVE-2026-48748
A flaw was found in Netty. A remote attacker can exploit a memory exhaustion vulnerability in the Netty HTTP/3 codec by creating an infinite number of blocked streams. This can lead to an Out Of Memory OOM error, resulting in a Denial of Service DoS for the affected system. Mitigation Mitigation...
CVE-2026-48043
A flaw was found in netty-codec-http2. A remote attacker could send specially crafted frames that cause a resource leak within the DelegatingDecompressorFrameListener class. This resource leak could lead to an Out Of Memory Error OOME, potentially causing a Denial of Service DoS by taking down th...
CVE-2026-42850
A flaw was found in Kitty, a cross-platform GPU based terminal. A remote attacker could exploit this vulnerability by sending a specially crafted escape code to a victim who is connected to the attacker via a program like netcat. This escape code triggers an unescaped error that is then executed ...
CVE-2026-42851
A flaw was found in Kitty, a cross-platform GPU-based terminal. A local attacker, or a remote attacker who can control output displayed in the terminal, could exploit this vulnerability. By sending specially crafted input to the terminal, the attacker can cause Kitty to execute arbitrary Python...
CVE-2026-44893
A flaw was found in netty-codec-haproxy, a component of the Netty network application framework. A remote attacker can exploit this vulnerability by sending a specially crafted HAProxy message with a malformed PP2TYPESSL TLV Type-Length-Value header. This can lead to an IndexOutOfBoundsException...
CVE-2026-42567
A flaw was found in Svelte, a web framework. An internal regular expression regex in the Svelte runtime, specifically when processing , can be exploited by a remote attacker. By providing specially crafted input, an attacker can cause the regex to take an exponential amount of time to process,...
CVE-2026-10142
A flaw was found in kafka-python. A malicious broker or a machine-in-the-middle attacker can exploit a denial-of-service vulnerability in the protocol parser. By sending a specially crafted 4-byte frame length value without proper bounds validation, an attacker can trigger excessive memory...
CVE-2026-48855
A flaw was found in Erlang OTP ssh, specifically within the sshsftpd module. An authenticated SFTP client can exploit this vulnerability by creating a symbolic link symlink inside a restricted directory chroot that points to the root directory. When the client reads this symlink, the sshsftpd...
CVE-2026-46433
A flaw was found in lldpd, an implementation of IEEE 802.1ab LLDP. A remote attacker on the adjacent network can send specially crafted Ethernet frames with 802.1Q VLAN Virtual Local Area Network tags. This can cause a 4-byte heap buffer over-read, leading to a denial of service DoS due to an...
CVE-2026-44631
A flaw was found in Apache HTTP Server. This buffer underwrite vulnerability occurs when processing crafted regular expressions in the server's configuration. An attacker could potentially exploit this to cause a denial of service. Mitigation Only loadtrustedApache configuration; the bug triggers...
CVE-2026-44119
A flaw was found in Apache HTTP Server. This improper privilege management vulnerability allows local .htaccess authors to read files with the privileges of the httpd user. This could lead to unauthorized information disclosure...
CVE-2026-41843
A flaw was found in Spring Framework. Specifically, Spring MVC and WebFlux applications are vulnerable to a Path Traversal attack. This vulnerability allows a remote attacker to access sensitive files or directories on the server by manipulating requests for static resources. The successful...
CVE-2026-29170
A flaw was found in Apache HTTP Server, specifically within the modproxyftp module. This cross-site scripting XSS vulnerability occurs during the generation of HTML directory lists when the server is configured to list FTP directory contents via either a forward or reverse proxy. An attacker coul...
CVE-2026-2049
A flaw was found in GIMP. This heap-based buffer overflow vulnerability, located in the HDR file parsing component, allows a remote attacker to execute arbitrary code. User interaction is required for exploitation, as the target must open a malicious HDR file. The flaw occurs due to a lack of...
CVE-2026-44249
A flaw was found in netty-handler, a component of the Netty network application framework. A remote attacker can exploit an incorrect masking operation in the IpSubnetFilterRule.compareTo function to bypass configured IPv6 subnet rules. This allows valid public IP addresses to circumvent intended...
CVE-2026-48914
A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an...
CVE-2026-53463
A flaw was found in ImageMagick. When processing images, a remote attacker could provide incorrect arguments to the distort operation, leading to a null pointer dereference. This vulnerability can cause the application to crash, resulting in a Denial of Service DoS for affected systems...
CVE-2026-47166
A flaw was found in ImageMagick, a widely used software for image editing. An attacker with high privileges and local access could exploit a vulnerability in the magick -distribute-cache service. By causing a heap buffer over-read, this could lead to the disclosure of sensitive information and...
CVE-2026-11945
A flaw was found in PostgreSQL Anonymizer. A local user with privileges to create JSON documents can embed malicious code within a specific key-value pair. If a superuser subsequently invokes the importdatabaserules or importrolesrules functions, this malicious code will be executed with superuse...
CVE-2026-48998
A flaw was found in guzzlehttp/psr7, a PHP library for HTTP messages. A remote attacker could exploit improper validation of the Host header. By providing a specially crafted Host header, an attacker could cause the system to misinterpret the intended destination. This could lead to requests or...
CVE-2026-11623
A flaw was found in tmux. A local attacker could exploit a use-after-free vulnerability in the imagefree function, potentially leading to information disclosure or denial of service. Exploitation of this flaw is considered difficult due to its high complexity...
CVE-2026-52859
A flaw was found in Vim, an open-source command-line text editor. This vulnerability allows a program displaying output in a Vim terminal window to trigger an out-of-bounds write by sending a specific byte sequence. This can lead to a crash of the Vim application, resulting in a Denial of Service...
CVE-2026-46557
A flaw was found in ImageMagick. A local attacker could exploit a missing depth check in the fx operation by providing a specially crafted argument. This could lead to a stack overflow, resulting in a denial of service DoS for the application...
CVE-2026-46692
A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. A remote attacker, by connecting to a magick -distribute-cache service, can trigger a heap buffer over-write in the server process. This vulnerability can lead to a denial of service...
CVE-2026-49219
A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. An attacker with local access could exploit an incorrect parsing of filenames to bypass security policies. This could allow the attacker to read files that are otherwise disallowed b...
CVE-2026-46693
A flaw was found in ImageMagick. An attacker able to connect to a magick -distribute-cache service could exploit a race condition to hijack a file descriptor in the server process. This could lead to unauthorized access to sensitive information...
CVE-2026-45287
A flaw was found in OpenTelemetry-Go before schema package version 0.0.17. ParseFile in go.opentelemetry.io/otel/schema/v1.0 and v1.1 opens a schema file and passes it to Parse without closing it, leaking one file descriptor per successful call. Repeated parsing in a long-running process can...
CVE-2026-44494
A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle MITM attack. This enables the attacker to intercept, read, and modify all...
CVE-2026-44496
A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service DoS, where the affected browser tab may...
CVE-2026-44492
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NOPROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the...
CVE-2026-44487
A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final...
CVE-2026-44486
A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can...
CVE-2026-44488
A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or...
CVE-2026-44495
A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this...
CVE-2026-44490
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as prototype pollution, allows an upstream dependency to modify the fundamental behavior of JavaScript objects. When this occurs, Axios can unknowingly incorporate these altered values, leading to two potential...
CVE-2026-44489
A flaw was found in Axios, a promise-based HTTP client. A remote attacker could exploit a prototype pollution vulnerability, which occurs when nested objects are created without proper checks, allowing an attacker to inject malicious properties into Object.prototype. This vulnerability specifical...
CVE-2026-53439
A flaw was found in Jenkins. Missing permission checks allow an attacker with Overall/Read permission to determine other users' configured timezone. This vulnerability also enables the attacker to enumerate the view names of other users' "My Views", leading to information disclosure. Mitigation...