Search CVE reports
31 – 40 of 36633 results
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which...
1 affected package
node-tar
| Package | 22.04 LTS |
|---|---|
| node-tar | Needs evaluation |
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart...
1 affected package
cpp-httplib
| Package | 22.04 LTS |
|---|---|
| cpp-httplib | Needs evaluation |
Not in release
(PJSIP is a free and open source multimedia communication library writt ...)
1 affected package
pjproject
| Package | 22.04 LTS |
|---|---|
| pjproject | Not in release |
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject()...
1 affected package
node-immutable
| Package | 22.04 LTS |
|---|---|
| node-immutable | Needs evaluation |
Not in release
(PJSIP is a free and open source multimedia communication library writt ...)
1 affected package
pjproject
| Package | 22.04 LTS |
|---|---|
| pjproject | Not in release |
Not in release
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Not in release |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
Not in release
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Not in release |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
Not in release
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Not in release |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
Not in release
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Not in release |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
Not in release
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Not in release |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |