Monthly
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.
A bypass vulnerability in fast-xml-parser allows attackers to circumvent entity expansion limits through numeric character references (&#NNN;) and standard XML entities, causing denial of service via excessive memory allocation and CPU consumption. The vulnerability affects fast-xml-parser versions 5.x through 5.5.5, completely bypassing security controls added in the previous CVE-2026-26278 fix. A proof-of-concept demonstrates that even with strict limits configured (maxTotalExpansions=10), an attacker can inject 100,000+ numeric entities to consume hundreds of megabytes of memory.
Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.
Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).
Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers to cause denial of service by forcing unbounded entity expansion with minimal payload sizes. Public exploit code exists for this vulnerability, enabling attackers to freeze or severely degrade application performance. Upgrade to version 5.3.6 or disable entity processing using the `processEntities: false` option to mitigate the risk.
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.
XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.
An attacker with access to an HX 10.0.0 and previous versions, may send specially-crafted data to the HX console. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.
A bypass vulnerability in fast-xml-parser allows attackers to circumvent entity expansion limits through numeric character references (&#NNN;) and standard XML entities, causing denial of service via excessive memory allocation and CPU consumption. The vulnerability affects fast-xml-parser versions 5.x through 5.5.5, completely bypassing security controls added in the previous CVE-2026-26278 fix. A proof-of-concept demonstrates that even with strict limits configured (maxTotalExpansions=10), an attacker can inject 100,000+ numeric entities to consume hundreds of megabytes of memory.
Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.
Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).
Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers to cause denial of service by forcing unbounded entity expansion with minimal payload sizes. Public exploit code exists for this vulnerability, enabling attackers to freeze or severely degrade application performance. Upgrade to version 5.3.6 or disable entity processing using the `processEntities: false` option to mitigate the risk.
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.
XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29.
An attacker with access to an HX 10.0.0 and previous versions, may send specially-crafted data to the HX console. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.