protobufjs: Memory amplification from preserved unknown fields in binary decode

aiohttp: Incomplete websocket frame payloads bypass memory limits

aiohttp: HTTP/1 Pipelined Requests Queue Without Limit

aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines

aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges

DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks

DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, th...

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate...

Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient

protobufjs : Schema-derived names can shadow runtime-significant properties

@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

Angular: Template and Attribute Namespace Sanitization Bypass (XSS)

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows