YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack. In the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser's value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.
A SQL injection vulnerability in the /ureport/datasource/previewData component of ureport v2.2.9 allows attackers to access sensitive database information via crafted SQL statements.
TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. Standard Kubernetes installations using kumactl or the official Helm chart are not affected because the mutating admission webhook automatically injects the CA certificate. No public exploit or CISA KEV listing is present at time of analysis; patch releases are available across all supported branches.
Memory exhaustion and denial-of-service across HTTP/2 server implementations allow remote unauthenticated attackers to crash or severely degrade affected services by intentionally stalling flow control using standard HTTP/2 protocol frames. Researched and reported by the Okta Red Team and coordinated through CERT/CC as VU#885548, this class of vulnerability is tracked across three CVEs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) affecting multiple vendor implementations including F5 BIG-IP. By advertising SETTINGS_INITIAL_WINDOW_SIZE=0 and withholding WINDOW_UPDATE frames across many simultaneous streams, an attacker forces vulnerable servers to buffer unbounded response data in memory with no ability to transmit it, leading to OOM kills, swap exhaustion, or connection and worker resource starvation. No public exploit code has been identified and no CISA KEV listing is present at time of analysis.
Memory exhaustion denial-of-service affects HTTP/2 server implementations that fail to cap buffered response data under stalled flow-control conditions. A remote unauthenticated attacker opens many simultaneous HTTP/2 streams while advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 or withholding WINDOW_UPDATE frames, forcing the server to accumulate unbounded in-memory response buffers it cannot transmit. Under permissive resource limits this can trigger OOM kills, swap exhaustion, and full system unresponsiveness; under tighter limits, connection and worker pool exhaustion degrades availability for legitimate clients. Reported 2026-07-16 by Okta Red Team and coordinated as CERT VU#885548 covering at least three CVE IDs (CVE-2026-59762, CVE-2026-59173, CVE-2026-44909) across multiple vendor implementations. No public exploit code identified at time of analysis, and CISA KEV listing not confirmed.
TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. A successful intercept grants the attacker the ability to impersonate the operator and issue privileged commands to the control plane. No public exploit identified at time of analysis; vendor-released patches are available.
Image::EPEG versions through 0.15 for Perl embeds an unsupported version of the Epeg library. Image::EPEG includes Epeg 0.9.0 that was last updated in 2004. Epeg is a fast JPEG thumbnail library that was once part of the Englightenment Project.
XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.
HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition.
HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parserc_parse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "<a ='c'>" or unbalanced quotes "<a b='''''''c'>" can trigger this condition. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
LogicalDOC Enterprise up to and for v9.1.1 is vulnerable to Local File Inclusion (LFI) in the OnlyOfficeEditor servlet class, allowing authenticated user to exploit path traversal flaws in the fileExt parameter, enabling unauthorized access to sensitive files outside the designated directories.
An issue in OPSWAT AppRemover Driver (ardrv.sys) v2017.10.02.1551 and earlier in IOCTL handler 0x2420031. Any local user can open the device and send process termination requests without privilege validation.
LogicalDOC Enterprise up to and for v9.1.1 is vulnerable to blind SQL injection in the ComparisonServlet component, allowing authenticated user to manipulate SQL queries via crafted input.