CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In the Oj (Optimized JSON) library for Ruby, a heap corruption vulnerability exists. When a JSON object key is exactly 65,535 bytes long, an integer truncation in the form_attr function causes a negative length to be passed to memcpy, copying a huge amount of data and crashing the process. The issue is fixed in version 3.17.2.
A use-after-free vulnerability has been discovered in the Oj (Optimized JSON) library for Ruby. Disabling symbol_keys on a reused Oj::Parser instance frees the internal key cache without clearing the pointer, leading to reading from freed memory during subsequent parsing.
A heap use-after-free vulnerability exists in the C engine of the Oj (Optimized JSON) Ruby gem prior to version 3.17.2. The issue occurs when a SAJ/SAJ2 callback mutates the input JSON string during parsing, causing the internal buffer to be reallocated and leaving a dangling pointer.
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby.
A heap buffer overflow vulnerability was found in the Oj (Optimized JSON) library for Ruby when serializing Exception objects with a large :indent value. The issue affects versions prior to 3.17.2 and has been fixed in that version.
A denial-of-service (DoS) vulnerability was found in the Oj (Optimized JSON) library for Ruby. The Oj::Doc#each_child function, when recursively processing a deeply nested JSON document, overflows a fixed-size stack buffer, causing a process crash. The issue has been fixed in version 3.17.3.
A stack-based buffer overflow vulnerability was found in the Oj (Optimized JSON) library for Ruby in the Oj.dump method. The issue occurs when a large :indent value is provided, causing a 2 GB write to the stack and process crash.
In the Oj (Optimized JSON) library for Ruby, a vulnerability was found where uninitialized stack memory is read when parsing JSON keys of 254 bytes or longer in :object mode. The flaw occurs in form_attr() which passes a stack buffer instead of a properly allocated heap buffer to rb_intern3(), causing process stack memory disclosure. The issue is fixed in version 3.17.3.
phpMyFAQ before version 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-value permissions to a group they belong to, inheriting those rights and escalating privileges up to full administrative control.
A vulnerability in n8n before version 2.25.7 and 2.26.x before 2.26.2 allows bypassing the AST security validator in the Python Code node. An authenticated user with permission to create or modify workflows containing this node can access the task executor module namespace.
Grav CMS before version 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session deserialize untrusted data without class restrictions, enabling PHP object injection and, via a gadget chain, arbitrary code execution. Additionally, InstallCommand's git clone operation does not escape branch, url, and path parameters, allowing OS command injection during plugin/theme installation (requires admin access). A Twig security blocklist bypass (server-side template injection) is also present.
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges.
A command injection vulnerability in the ms_service.pl service of Storage Concentrator (SC & SCVM) allows an unauthenticated remote attacker to execute arbitrary commands with root privileges by sending a specially crafted packet to the default TCP port 9000.
An SSRF vulnerability in Open WebUI before version 0.6.27 in the /api/v1/retrieval/process/web endpoint allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.
A vulnerability in ImageMagick before version 7.1.2-24 allows attackers to bypass security policies and create or truncate files that should be blocked. The flaw is due to incorrect policy path validation, enabling file writes outside allowed boundaries.
A vulnerability in ImageMagick before version 7.1.2-22 in the PasskeyEncipherImage method causes AES-CTR nonce reuse. Attackers can exploit this to recover plaintext from encrypted images.
A memory leak vulnerability in ImageMagick before version 7.1.2-19 exists in the PNG encoder when writing MNG images. Attackers can trigger the encoder failure condition to exhaust memory resources and cause denial of service.
A memory leak vulnerability in ImageMagick before version 7.1.2-13 exists in the LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with write access to the OpenCL cache directory can place malicious XML files to exhaust memory and cause denial of service.
In ImageMagick before version 7.1.2-22, a division by zero vulnerability exists in binomial kernel processing. An attacker can supply a large binomial kernel value causing integer overflow, resulting in division by zero and application crash.
ImageMagick before version 7.1.2-19 contains an off-by-one error in morphology validation, allowing out-of-bounds heap buffer reads. Attackers can trigger a heap buffer overflow by providing incorrect morphology parameters, causing single pixel memory access violations.

