CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Horner Automation Cscape versions prior to 10.2 SP3 are vulnerable to an Out-of-Bounds Read vulnerability through parsing CSP files. Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.
Bleichenbacher padding oracle vulnerability in PKCS#7 KTRI decryption in wolfSSL. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, the library returned distinguishable error codes depending on whether RSA padding validation failed or the decrypted content was malformed. This allowed an attacker to incrementally recover the Content Encryption Key (CEK) by observing error responses.
Heap buffer overread in wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7 EnvelopedData. This could theoretically be triggered by attacker-supplied data delivered via S/MIME or CMS.
A vulnerability in the wolfSSL library allows accepting a certificate chain that terminates at an untrusted intermediate certificate instead of a trusted anchor. The issue occurs in partial-chain verification mode (X509_V_FLAG_PARTIAL_CHAIN) and affects the OpenSSL-compatible certificate path building path.
A vulnerability in AES-GCM implementation allows counter wrap and keystream reuse when processing extremely large single messages (>64 GiB) via streaming APIs, leading to plaintext recovery.
Vulnerability in wolfSSL library affects PKCS7_verify() function, which incorrectly returned success for degenerate PKCS#7 objects containing only certificates, without a signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content.
The pnpm package manager from version 11.3.0 to 11.5.3 has a vulnerability where the `pnpm stage download` command derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file.
In pnpm prior to versions 10.34.2 and 11.5.3, a vulnerability was discovered where manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent.
pnpm package manager prior to versions 10.34.2 and 11.5.3 persists bootstrap metadata in the first YAML document of pnpm-lock.yaml. A malicious repository can bypass fresh package-manager resolution and cause pnpm to install and execute arbitrary code during automatic version switching.
pnpm prior to versions 10.34.2 and 11.5.3 allows installation of configDependencies declared in pnpm-workspace.yaml before command dispatch. A repository can declare pacquet or @pnpm/pacquet as a config dependency, and pnpm treats this repository-controlled dependency as an install-engine opt-in. During installation, pnpm resolves a platform-specific @pacquet/<platform>-<arch>/pacquet binary from node_modules/.pnpm-config/<packageName> and spawns it as the developer or CI user.
In pnpm prior to versions 10.34.2 and 11.5.3, the generic peer-suffix normalizer incorrectly stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could authorize a different attacker-controlled source whose locator normalized to the same value.
A vulnerability in pnpm package manager prior to versions 10.34.2 and 11.5.3 expands ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request destinations and credentials. A malicious repository can send victim environment secrets to an attacker-selected registry before lifecycle scripts run.
In jq prior to version 1.8.2, on 32-bit systems, the jvp_string_append function may experience integer overflow, leading to a massive buffer overrun.
In pnpm before versions 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting an integrity mismatch with pnpm-lock.yaml. Even though the package is locked with an integrity value and the registry returns different data, pnpm performs a resolution repair, updates the lockfile, and installs the new content, exiting successfully.
In pnpm before versions 10.34.0 and 11.4.0, the tarball extraction worker skips integrity verification when the integrity field is missing from pnpm-lock.yaml. An attacker can remove this field and serve altered package content, allowing installation of modified packages without integrity errors.
pnpm before versions 10.34.0 and 11.4.0 can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken, while the repository only sets registry= to a different registry URL. During normal pnpm workflows, the user's credentials are bound to the repository-selected registry and sent as an Authorization header.
pnpm before versions 10.34.0 and 11.4.0 allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm uses that alias as a filesystem path when linking dependency nodes, enabling an attacker to replace paths in the current project with symlinks to attacker-controlled directories.
A vulnerability in pnpm package manager prior to versions 10.34.0 and 11.4.0 allows an attacker to write or delete arbitrary files on the filesystem during pnpm install. The issue stems from missing path validation in .patch files, enabling the use of ../ sequences to escape the package directory.
A vulnerability in pnpm package manager before versions 10.34.0 and 11.4.0 allows an attacker to inject Git options into the git fetch command via a malicious lockfile. Lack of validation of the commit value in the lockfile enables substitution of the --upload-pack option, which for SSH and local transports can lead to arbitrary command execution.
In jq prior to 1.8.2, using `--rawfile` with an attacker-controlled file can cause a heap out-of-bounds write in builds without assertions. The bug is due to the loop not stopping after a 'String too long' error, leading to operations on an invalid object.

