This page collects WhisperX intelligence signals tagged #dependency vulnerability. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical vulnerability in the widely-used Netty networking framework exposes HTTP/2 servers to a potent denial-of-service (DoS) attack. Tracked as CVE-2026-33871, the flaw allows a remote attacker to trigger a service outage by flooding a server with specially crafted CONTINUATION frames. The attack exploits a bypass...
A legacy version of the popular Embedded JavaScript templating library, EJS, remains an active security liability in modern software projects. The specific version ejs-0.8.8.tgz, detected as a dependency, contains a documented Cross-Site Scripting (XSS) vulnerability (CVE-2017-1000188) that could lead to remote code in...
A newly disclosed vulnerability in a foundational Node.js library opens a subtle but exploitable path for attackers to manipulate cookie data on web servers. CVE-2024-47764, rated with medium severity, targets the widely used `cookie` library, a core component for parsing and serializing HTTP cookies. The flaw allows a...
A critical security vulnerability has been disclosed in the ubiquitous Python `requests` library, exposing a path traversal and file hijack risk within its internal file extraction utility. The flaw, tracked as CVE-2026-25645, resides in the `requests.utils.extract_zipped_paths()` function. This utility uses a predicta...
A low-severity vulnerability, CVE-2025-59436, has been identified within the dependency chain of the FDM Monster project. The flaw resides in the `ip-1.1.9.tgz` library, a transitive dependency pulled in via the `ftp-srv` package. This finding highlights the persistent risk of inherited security weaknesses in complex s...
A critical security flaw in the widely used `moby/spdystream` library exposes services to remote memory exhaustion attacks. The vulnerability, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser, which fails to validate attacker-controlled counts and lengths before allocating memory. This allows a remote peer...
A critical memory exhaustion vulnerability in the widely used `moby/spdystream` library has been patched, forcing a mandatory security update for countless dependent projects. The flaw, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser, which fails to validate attacker-controlled counts and lengths before a...
A critical security vulnerability in the widely used Axios HTTP client library has triggered an urgent update within Red Hat's UHC Portal. The flaw, tracked as CVE-2026-40175, exposes systems to potential Remote Code Execution (RCE) and cloud compromise, prompting immediate remediation efforts. This is not a theoretica...
A critical supply chain vulnerability has been identified in a gateway framework that automatically installs missing Python packages without verification. The flaw, documented in a security disclosure, stems from code that attempts to install dependencies like flask, requests, and flask-cors via subprocess on import if...
A security vulnerability has been identified in fast-xml-parser, a widely used open-source XML parsing library maintained by NaturalIntelligence. The flaw, tracked as CVE-2026-41650 (GHSA-gh4j-gqv2-49f6), resides in the XMLBuilder component and stems from improper handling of unescaped delimiters during XML processing....
A high-severity vulnerability, cataloged as CVE-2026-40973, has been identified within the Spring Boot 3.5.3 library component embedded in the MidnightBSD/security-advisory repository. The flaw was detected through automated dependency scanning and surfaced during analysis of the project's HEAD commit on the master bra...
Three high-severity security vulnerabilities embedded in the Axios HTTP client library have been traced through the dependency chain of the SAP UI5 development toolchain, specifically affecting `@sap-ux/project-access`. The most critical flaw—CVE-2025-62718—bypasses NO_PROXY protections via RFC 1122 loopback subnet man...