#vulnerability

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6ggr-cwv4-g7qg. This link is maintained to preserve external references. ### Original Description The rosenpass crate before 0.2.1 for Rust allows remote attackers to cause a denial of service (panic) via a one-byte UDP packet.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r7qv-8r2h-pg27. This link is maintained to preserve external references. ### Original Description The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7g9j-g5jg-3vv3. This link is maintained to preserve external references. ### Original Description The snow crate before 0.9.5 for Rust, when stateful TransportState is used, allows incrementing a nonce and thereby denying message delivery.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5gmm-6m36-r7jh. This link is maintained to preserve external references. ### Original Description The transpose crate before 0.2.3 for Rust allows an integer overflow via input_width and input_height arguments.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rr69-rxr6-8qwf. This link is maintained to preserve external references. ### Original Description The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9344-p847-qm5c. This link is maintained to preserve external references. ### Original Description The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupported primary key type.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-x4gp-pqpj-f43q. This link is maintained to preserve external references. ### Original Description The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8724-5xmm-w5xq. This link is maintained to preserve external references. ### Original Description The cosmwasm-std crate before 2.0.2 for Rust allows integer overflows that cause incorrect contract calculations.

A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_python_executor.py module, which inadequately restricts Python code execution despite employing static and dynamic checks. Attackers can exploit whitelisted modules and functions to execute arbitrary code, compromising the host system. This flaw undermines the core security boundary intended to isolate untrusted code, posing risks such as unauthorized code execution, data leakage, and potential integration-level compromise. The issue is resolved in version 1.17.0.

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.