A flaw was found in libexpat. A remote attacker could exploit this vulnerability by providing specially crafted XML content with empty external parameter entities. This could lead to a NULL pointer dereference, causing the application to crash and resulting in a Denial of Service (DoS).

A flaw was found in libexif. When decoding MakerNotes, an integer underflow can occur in the exif_mnote_data_get_value function if a zero size is passed. This can lead to a buffer overwrite, potentially allowing an attacker to achieve arbitrary code execution, disclose sensitive information, or cause a denial of service (DoS).

A flaw was found in Devise, an authentication solution for Rails. A race condition in the Confirmable module allows a remote attacker to confirm an email address they do not own. By sending two concurrent email change requests, an attacker can desynchronize the confirmation token and unconfirmed email fields. This enables the attacker to confirm a victim's email on their own account, potentially leading to unauthorized account manipulation.

A flaw was found in the Python library, SimpleEval. A remote attacker could exploit this vulnerability by providing specially crafted input that allows dangerous modules or functions to be accessed outside of the intended sandbox environment. This could lead to arbitrary code execution within the application using SimpleEval.

A flaw was found in ImageMagick. The NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. This vulnerability could allow a remote attacker to cause a Denial of Service (DoS) by providing a specially crafted image, leading to system instability or unavailability.

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

A flaw was found in file-type, a utility for detecting file types. A remote attacker could exploit this vulnerability by providing a specially crafted ZIP file to an application using file-type's buffer or file-based detection functions. This can lead to excessive memory growth, causing a Denial of Service (DoS) due to the application attempting to inflate and process a much larger payload than expected.

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoint responses. Exploitation requires network access to the MCMP protocol port, but no authentication is needed.

A flaw was found in Locutus, a JavaScript library that provides standard library functions. The `create_function` function in Locutus passes user-supplied arguments and code directly to the JavaScript `Function` constructor without proper sanitization. This vulnerability allows a remote attacker to execute arbitrary code within the application, potentially leading to full system compromise or data manipulation.

A user input sanitization flaw has been discovered in the Black python code formatter. Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

A flaw was found in ImageMagick. Processing a specially crafted file with the sixel encoder can cause a stack-based buffer overflow when a memory allocation fails, leading to a denial of service.

A flaw was found in Vim. A NULL pointer dereference can occur when the NFA regex compiler processes a specific character collection, more specifically one that contains a combining character acting as the endpoint of a character range (e.g., [0-0\u05bb]). A process or user that can supply a regex pattern can cause an application crash, resulting in a denial of service.

A flaw was found in the KJ-HTTP component of Cap’n Proto when processing HTTP messages that use Transfer-Encoding: chunked. If a chunk size is parsed as a value equal to or greater than 2^64, the value may be truncated when converted to a 64-bit integer. An attacker could exploit this behavior by sending specially crafted HTTP messages containing excessively large chunk sizes. This may cause incorrect interpretation of HTTP message boundaries and could theoretically enable HTTP request or response smuggling in applications that rely on the affected HTTP implementation.

A flaw was found in the KJ-HTTP component of Cap’n Proto. When processing HTTP messages, a negative Content-Length value could be implicitly converted to an unsigned integer, resulting in an extremely large length value. An attacker could exploit this behavior by sending specially crafted HTTP messages containing negative Content-Length values. This may lead to inconsistent interpretation of HTTP message boundaries and could theoretically enable HTTP request or response smuggling scenarios in applications that rely on Cap’n Proto’s HTTP implementation.

A data exposure flaw has been discovered in the @backstage/plugin-scaffolder-backend npm library. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected.

A server side request forgery flaw has been discovered in the npm @backstage/plugin-auth-backend package. The CIMD metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.

An allowlist bypass flaw has been discovered in the npm @backstage/plugin-auth-backend package. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is not the default.

A denial of service flaw has been discovered in the flatted npm library. flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process.

RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service