CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-49737
https://notcve.org/view.php?id=CVE-2022-49737
16 Mar 2025 — In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock. • https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1081338;filename=dix-Hold-input-lock-for-AttachDevice.patch;msg=5 • CWE-413: Improper Resource Locking •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22870 – HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
https://notcve.org/view.php?id=CVE-2025-22870
12 Mar 2025 — Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. • https://go.dev/cl/654697 • CWE-115: Misinterpretation of Input •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22868 – Unexpected memory consumption during token parsing in golang.org/x/oauth2
https://notcve.org/view.php?id=CVE-2025-22868
26 Feb 2025 — An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed ... • https://go.dev/cl/652155 • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22869 – Potential denial of service in golang.org/x/crypto
https://notcve.org/view.php?id=CVE-2025-22869
26 Feb 2025 — SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange. ... • https://go.dev/cl/652135 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45338 – Non-linear parsing of case-insensitive content in golang.org/x/net/html
https://notcve.org/view.php?id=CVE-2024-45338
18 Dec 2024 — An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service. • https://go.dev/cl/637536 • CWE-770: Allocation of Resources Without Limits or Throttling CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 9.1EPSS: 24%CPEs: 1EXPL: 3CVE-2024-45337 – Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto
https://notcve.org/view.php?id=CVE-2024-45337
11 Dec 2024 — Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to i... • https://github.com/NHAS/CVE-2024-45337-POC • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24558 – WordPress CRM Perks plugin <= 1.1.5 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-24558
23 Nov 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks allows Reflected XSS. This issue affects CRM Perks: from n/a through 1.1.5. The CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject... • https://patchstack.com/database/wordpress/plugin/support-x/vulnerability/wordpress-crm-perks-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47072 – XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
https://notcve.org/view.php?id=CVE-2024-47072
07 Nov 2024 — XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. ... • https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266 • CWE-121: Stack-based Buffer Overflow CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29125 – Heap overflow in CM_main.exe binary in Enel X JuiceBox
https://notcve.org/view.php?id=CVE-2023-29125
05 Nov 2024 — A heap buffer overflow could be triggered by sending a specific packet to TCP port 7700. Se podría provocar un desbordamiento de búfer de almacenamiento dinámico al enviar un paquete específico al puerto TCP 7700. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-122: Heap-based Buffer Overflow •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29122 – Incorrect file ownership of privileged service's libraries in Enel X JuiceBox
https://notcve.org/view.php?id=CVE-2023-29122
05 Nov 2024 — Under certain conditions, access to service libraries is granted to account they should not have access to. Bajo ciertas condiciones, se concede acceso a las librerías de servicios a cuentas a las que no deberían tener acceso. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-708: Incorrect Ownership Assignment •