vulnerability

The semver package—ubiquitous in the npm ecosystem—contained a Regular Expression Denial of Service (ReDoS) flaw that lets attackers hang or crash Node.js processes when untrusted input is parsed as a version range, and the vulnerability is tracked as CVE-2022-25883 with fixes released in semver...

Google’s widely used RPC stack has been rocked by a high‑impact denial‑of‑service flaw that can be triggered remotely against a range of gRPC deployments on POSIX platforms: CVE‑2023‑4785 arises from missing error handling in the gRPC TCP server and allows a remote attacker to exhaust server...

QEMU hosts worldwide were quietly at risk of abrupt, complete shutdowns after a subtle SCSI emulation bug allowed a guest to trigger a division-by-zero that kills the QEMU process and the running virtual machine itself, a denial-of-service flaw tracked as CVE‑2023‑42467. The defect—rooted in how...

The knplabs/knp-snappy library — a widely used PHP wrapper for wkhtmltopdf and wkhtmltoimage — contains a high‑severity unsafe deserialization vulnerability that can be trivially abused to achieve remote code execution when the application environment and usage patterns permit it; the bug...

PostCSS versions prior to 8.4.31 contain a subtle but consequential parsing bug (tracked as CVE-2023-44270) that can let attacker-supplied CSS hide live rules and properties inside what appears to be a comment — a behavior that undermines linters and other tools that rely on PostCSS to safely...

QEMU’s built‑in VNC server contains a logic error in its clipboard decompression routine that can trap the server process in an infinite loop, allowing a remote, authenticated client to trigger a denial‑of‑service condition by sending specially crafted clipboard data. Background / Overview QEMU...

GJSON versions before 1.9.3 contain a Regular Expression Denial of Service (ReDoS) flaw — tracked as CVE-2021-42836 — that can be triggered by crafted JSON paths or queries and allow an attacker to drive CPU consumption to the point of service disruption. Background / Overview GJSON is a widely...

A subtle NULL‑check omission in the Linux kernel’s AMD GPU display code (drm/amd/display) — tracked as CVE‑2024‑26648 — has been fixed upstream after maintainers discovered that the function edp_setup_replay() dereferenced internal structures before verifying pointer validity, creating a...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable Go net/http code, but it is the only Microsoft product Microsoft has publicly attested so far as “including the implicated open‑source library and therefore potentially...

A critical memory-safety flaw in the widely used cJSON library has been assigned CVE-2025-57052: a logic error in the array-index parsing code lets malformed JSON pointer strings bypass bounds checks, enabling out‑of‑bounds memory access that can crash or corrupt applications that rely on cJSON...

The json-c library’s long‑running reputation for light‑weight JSON parsing took a sharp turn in 2023 when a stack‑buffer‑overflow in the auxiliary sample program json_parse was assigned CVE‑2021‑32292 — a defect that can be triggered by crafted input to the parseit() function and which, in...

CISA this week added two high‑risk flaws to its Known Exploited Vulnerabilities (KEV) catalog — a critical OS command‑injection in the React Native Community CLI’s Metro development server (CVE‑2025‑11953) and an unauthenticated remote‑code‑execution (RCE) flaw in SmarterTools SmarterMail’s...

A newly disclosed memory-safety bug in the open-source OPC UA stack open62541 — tracked as CVE-2026-1301 — has been flagged by U.S. cyber authorities as a medium-severity vulnerability that can be triggered before authentication and that reliably causes process crashes and heap corruption in...

Microsoft has assigned CVE-2026-20959 to a SharePoint Server presentation‑layer (spoofing) vulnerability, and administrators should treat the entry as a vendor‑tracked, high‑urgency condition that requires immediate triage and likely patching or mitigations depending on the MSRC mapping for each...

Microsoft has assigned CVE-2026-20925 to an information-disclosure / spoofing defect in NTLM authentication — a File Explorer–adjacent weakness that, based on the vendor entry and community precedent, can cause a Windows host to leak NTLM negotiation material (NTLMv2 challenge/response blobs) to...

Microsoft’s Security Update Guide lists dozens of CSC/Offline Files fixes over the past two years, but a clear, verifiable vendor entry for CVE-2026-20839 could not be located in public vendor and national vulnerability feeds at the time of writing — treat that identifier as unverified until the...

Microsoft has recorded CVE‑2026‑20827 — an information disclosure vulnerability in the Tablet Windows User Interface (TWINUI) subsystem — and it is included in the vendor’s Update Guide as part of the January 2026 security rollup, meaning administrators and power users should treat this as an...

The Linux kernel CVE-2025-38483 disclosure fixes a small but meaningful defensive-programming error in the COMEDI das16m1 driver that could lead to an out‑of‑bounds left-shift when a user-supplied IRQ number is used without sanity checks. The upstream patch enforces explicit bounds on the...

A recently recorded Linux-kernel vulnerability affects the FORE200E ATM driver: a small but meaningful synchronization bug in fore200e_open that can corrupt the driver’s bandwidth accounting when error paths run concurrently with normal control operations. The upstream fix is straightforward —...

A remotely triggerable NULL pointer dereference in FRRouting’s OSPF implementation has been cataloged as CVE-2025-61099 and can crash the OSPF daemon (ospfd) when a crafted Link-State (LS) Update packet is processed while detailed OSPF packet debugging is enabled. The bug, present in upstream...