|
1401
|
5.5 |
MEDIUM
Local
|
jqlang
|
jq
|
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator …
|
CWE-190
CWE-787
Integer Overflow or Wraparound
Out-of-bounds Write
|
CVE-2026-41257
|
2026-05-14 02:01 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1402
|
5.5 |
MEDIUM
Local
|
jqlang
|
jq
|
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter fil…
|
CWE-158
Improper Neutralization of Null Byte or NUL Character
|
CVE-2026-41256
|
2026-05-14 02:00 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1403
|
8.4 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument…
|
CWE-77
CWE-78
Command Injection
OS Command
|
CVE-2026-43990
|
2026-05-14 02:00 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1404
|
8.4 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument constru…
|
CWE-78
CWE-184
OS Command
Incomplete Blacklist
|
CVE-2026-43991
|
2026-05-14 02:00 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1405
|
9.8 |
CRITICAL
Network
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accept…
|
CWE-200
CWE-312
CWE-522
CWE-532
Information Exposure
Cleartext Storage of Sensitive Information
Insufficiently Protected Credentials
Inclusion of Sensitive Information in Log Files
|
CVE-2026-43992
|
2026-05-14 02:00 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1406
|
8.2 |
HIGH
Network
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch() on agent-supplied URLs without validating scheme, port, or reso…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43993
|
2026-05-14 02:00 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1407
|
5.5 |
MEDIUM
Local
|
jqlang
|
jq
|
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with…
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-40612
|
2026-05-14 02:00 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1408
|
7.5 |
HIGH
Network
|
golang
|
go
|
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module pr…
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-42501
|
2026-05-14 01:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1409
|
7.5 |
HIGH
Network
|
golang
|
go
|
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
|
NVD-CWE-noinfo
|
CVE-2026-42499
|
2026-05-14 01:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1410
|
6.1 |
MEDIUM
Network
|
golang
|
go
|
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape a…
|
CWE-116
Improper Encoding or Escaping of Output
|
CVE-2026-39826
|
2026-05-14 01:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
