Tag
#java
## Impact **Vulnerability Type:** HTML Injection via JSON Type Confusion **Affected Versions:** Preact 10.26.5 through 10.28.1 **Severity:** Low to Medium (see below) ### Who is Impacted? Applications using affected Preact versions are vulnerable if they meet **all** of the following conditions: 1. **Pass unmodified, unsanitized values** from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree 2. **Assume these values are strings** but the data source could return actual JavaScript objects instead of JSON strings 3. The data source either: - Fails to perform type sanitization **AND** blindly stores/returns raw objects interchangeably with strings, OR - Is compromised (e.g., poisoned local storage, filesystem, or database) ### Technical Details Preact includes JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection...
### Summary HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. ### Details When a package depends on an HTTP tarball URL, pnpm's tarball resolver returns only the URL without computing an integrity hash: `resolving/tarball-resolver/src/index.ts`: ```javascript return { resolution: { tarball: resolvedUrl, // No integrity field }, resolvedVia: 'url', } ``` The resulting lockfile entry has no integrity to verify: ```yaml remote-dynamic-dependency@http://example.com/pkg.tgz: resolution: {tarball: http://example.com/pkg.tgz} version: 1.0.0 ``` Since there is no integrity hash, pnpm cannot detect when the server returns different content. This affects: - HTTP/HTTPS tarball URLs (`"pkg": "https://example.com/pkg.tgz"`) - Git shorthand dependencies (`"pkg": "github:user/repo"`) - Git URLs (`"pkg": "git+https...
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests. As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
Security teams are still catching malware. The problem is what they're not catching. More attacks today don't arrive as files. They don't drop binaries. They don't trigger classic alerts. Instead, they run quietly through tools that already exist inside the environment — scripts, remote access, browsers, and developer workflows. That shift is creating a blind spot. Join us for a deep-dive
Users of the "@adonisjs/bodyparser" npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server. Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart
### Impact For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the [public API](https://vega.github.io/vega/docs/expressions/)) could be used to run unintentional javascript (XSS). ### Patches Fixed in vega-functions `6.1.1` ### Workarounds There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in [CSP safe mode](https://vega.github.io/vega/usage/interpreter/) does not prevent this issue. ### Exploit Proof of Concept Vega's expression `modify()` [function](https://github.com/vega/vega/blob/d8add5819346e5af597d82ef8253742acc0283ba/packages/vega-functions/src/functions/modify.js#L40), used by setdata, allows attacker to control both the method called and the values supplied, which results to XSS . This was a previous POC: ```json { "$schema": "https://vega.github.io/schema/vega/v6.json", "data": [ { "name": "table", "values": [ {"category": "A", "amount": 2...
## Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https://vega.github.io/vega/usage/interpreter/) is used. 1. Use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega [Editor](https://github.com/vega/editor) to the global `window`, or has any other satisfactory function gadgets in the global scope 2. Allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code) ## Patches - With Vega v6, use `vega-selections@6.1.2` (requires ESM) - With Vega v5, use `vega-selections@5.6.3` (No ESM needed) ## Workarounds - Do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do [here](https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239) . This is a development-only debugging practice that should n...
Security experts at Zenity Labs warn that Anthropic’s new agentic browser extension, Claude in Chrome, could bypass traditional web security, exposing private data and login tokens to potential hijackers.
Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.ac...
### Summary Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.value.ExtensionValue.getData() ``` A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. ### PoC ``` import msgpack import struct imp...