Search CVE reports
101 – 110 of 36697 results
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Needs evaluation |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Needs evaluation |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Needs evaluation |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and...
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Needs evaluation |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
3 affected packages
golang-1.24, golang-1.25, golang-1.26
| Package | 22.04 LTS |
|---|---|
| golang-1.24 | Needs evaluation |
| golang-1.25 | Not in release |
| golang-1.26 | Not in release |
Not in release
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause...
1 affected package
quickjs
| Package | 22.04 LTS |
|---|---|
| quickjs | Not in release |
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject()...
1 affected package
node-immutable
| Package | 22.04 LTS |
|---|---|
| node-immutable | Needs evaluation |
Not in release
A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with...
1 affected package
quickjs
| Package | 22.04 LTS |
|---|---|
| quickjs | Not in release |
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup...
1 affected package
binutils
| Package | 22.04 LTS |
|---|---|
| binutils | Needs evaluation |
GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the...
1 affected package
binutils
| Package | 22.04 LTS |
|---|---|
| binutils | Needs evaluation |