Search CVE reports


Toggle filters

81 – 90 of 42760 results

Status is adjusted based on your filters.


CVE-2026-46633

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, allowing a crafted template name...

1 affected package

php-twig

Package 20.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46629

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a...

1 affected package

php-twig

Package 20.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46628

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the deprecated spaceless filter is registered as safe for HTML, causing Twig autoescaping to emit attacker-controlled markup unescaped when spaceless is applied to untrusted...

1 affected package

php-twig

Package 20.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-46627

Medium priority
Needs evaluation

Twig is a template language for PHP. Prior to 3.26.0, the Twig sandbox does not prevent a template from consuming CPU, memory, or wall-clock time, even under the strictest allow-list, allowing untrusted templates to cause resource...

1 affected package

php-twig

Package 20.04 LTS
php-twig Needs evaluation
Show less packages

CVE-2026-45363

Medium priority
Needs evaluation

ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token because OpenSSL::HMAC.digest('SHA256',...

1 affected package

ruby-jwt

Package 20.04 LTS
ruby-jwt Needs evaluation
Show less packages

CVE-2026-59889

Medium priority
Needs evaluation

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.18.0 until 2.18.9, 2.21.5, 2.22.1, 3.1.5, and 3.2.1, UnwrappedPropertyHandler.processUnwrapped() replays...

1 affected package

jackson-databind

Package 20.04 LTS
jackson-databind Needs evaluation
Show less packages

CVE-2026-49855

Medium priority
Needs evaluation

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks,...

1 affected package

python-tornado

Package 20.04 LTS
python-tornado Needs evaluation
Show less packages

CVE-2026-49854

Medium priority
Needs evaluation

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes,...

1 affected package

python-tornado

Package 20.04 LTS
python-tornado Needs evaluation
Show less packages

CVE-2026-49853

Medium priority
Needs evaluation

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, SimpleAsyncHTTPClient shallow-copied redirected requests and removed only the Host header, leaving Authorization, auth_username, auth_password,...

1 affected package

python-tornado

Package 20.04 LTS
python-tornado Needs evaluation
Show less packages

CVE-2026-49477

Medium priority
Needs evaluation

Soup Sieve is a CSS selector library designed to be used with Beautiful Soup 4. Prior to 2.8.4, the CSS selector parser in soupsieve contains a regular expression vulnerable to catastrophic backtracking when processing an...

1 affected package

soupsieve

Package 20.04 LTS
soupsieve Needs evaluation
Show less packages