https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Tue, 16 Jun 2026 09:38:59 +0000 https://vulnerability.circl.lu/sighting/9471c7d6-3ef4-424f-9ebd-45c9182b8f77/export {"uuid": "9471c7d6-3ef4-424f-9ebd-45c9182b8f77", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities_20260312", "content": "", "creation_timestamp": "2026-03-12T01:00:00.000000Z"} {"uuid": "9471c7d6-3ef4-424f-9ebd-45c9182b8f77", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities_20260312", "content": "", "creation_timestamp": "2026-03-12T01:00:00.000000Z"} https://vulnerability.circl.lu/sighting/9471c7d6-3ef4-424f-9ebd-45c9182b8f77/export Thu, 12 Mar 2026 01:00:00 +0000 https://vulnerability.circl.lu/sighting/18dc4a11-d96b-4c22-a3fd-841d324fa07d/export {"uuid": "18dc4a11-d96b-4c22-a3fd-841d324fa07d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116214214929795362", "content": "", "creation_timestamp": "2026-03-12T04:03:14.002074Z"} {"uuid": "18dc4a11-d96b-4c22-a3fd-841d324fa07d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116214214929795362", "content": "", "creation_timestamp": "2026-03-12T04:03:14.002074Z"} https://vulnerability.circl.lu/sighting/18dc4a11-d96b-4c22-a3fd-841d324fa07d/export Thu, 12 Mar 2026 04:03:14 +0000 https://vulnerability.circl.lu/sighting/f759c17a-1b6b-4296-a07a-023013162870/export {"uuid": "f759c17a-1b6b-4296-a07a-023013162870", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mgvey4sbq22s", "content": "", "creation_timestamp": "2026-03-12T21:50:05.179450Z"} {"uuid": "f759c17a-1b6b-4296-a07a-023013162870", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mgvey4sbq22s", "content": "", "creation_timestamp": "2026-03-12T21:50:05.179450Z"} https://vulnerability.circl.lu/sighting/f759c17a-1b6b-4296-a07a-023013162870/export Thu, 12 Mar 2026 21:50:05 +0000 https://vulnerability.circl.lu/sighting/3befc5d7-af36-4cdf-b844-6b7ece894c0c/export {"uuid": "3befc5d7-af36-4cdf-b844-6b7ece894c0c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0298/", "content": "", "creation_timestamp": "2026-03-16T00:00:00.000000Z"} {"uuid": "3befc5d7-af36-4cdf-b844-6b7ece894c0c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0298/", "content": "", "creation_timestamp": "2026-03-16T00:00:00.000000Z"} https://vulnerability.circl.lu/sighting/3befc5d7-af36-4cdf-b844-6b7ece894c0c/export Mon, 16 Mar 2026 00:00:00 +0000 https://vulnerability.circl.lu/sighting/5fd265c2-dd79-4d00-972b-e7811f8b5a5b/export {"uuid": "5fd265c2-dd79-4d00-972b-e7811f8b5a5b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/microsoft-edge-multiple-vulnerabilities_20260316", "content": "", "creation_timestamp": "2026-03-16T01:00:00.000000Z"} {"uuid": "5fd265c2-dd79-4d00-972b-e7811f8b5a5b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-3919", "type": "seen", "source": "https://www.hkcert.org/security-bulletin/microsoft-edge-multiple-vulnerabilities_20260316", "content": "", "creation_timestamp": "2026-03-16T01:00:00.000000Z"} https://vulnerability.circl.lu/sighting/5fd265c2-dd79-4d00-972b-e7811f8b5a5b/export Mon, 16 Mar 2026 01:00:00 +0000 https://vulnerability.circl.lu/sighting/acb837cb-a120-4f5f-9bb1-a64c20ccea60/export {"uuid": "acb837cb-a120-4f5f-9bb1-a64c20ccea60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39196", "type": "seen", "source": "https://gist.github.com/pyuysig/423b15c69e3cd851c1e24c1312a0551a", "content": "# Vulnerability Report: CVE-2026-39196 - Vector - SQL injection in ClickHouse sink database template handling\n\n## Vulnerability Summary\nDatadog Vector 0.54.0 contains a SQL injection issue in the ClickHouse sink query construction path. When the clickhouse sink database setting is rendered from attacker-controlled event fields, an attacker can inject SQL syntax into the generated INSERT query and redirect writes to unintended ClickHouse tables accessible to the Vector credential.\n\n## Affected Product\n- **Vendor**: Datadog, Inc.\n- **Product**: Vector\n- **Version**: 0.54.0\n- **Vulnerable Component**: src/sinks/clickhouse/config.rs, src/sinks/clickhouse/sink.rs, src/sinks/clickhouse/service.rs, KeyPartitioner::partition, set_uri_query\n\n## Vulnerability Details\n- **Vulnerability Type**: SQL Injection\n- **Weakness**: CWE-89\n- **Attack Conditions**: Remote. The attacker must be able to submit events into a Vector pipeline whose ClickHouse sink uses a dynamic database template derived from attacker-controlled event fields.\n\n## Report Body\n\n### Summary\nDatadog Vector 0.54.0 contains a SQL injection issue in the ClickHouse sink query construction path. When the clickhouse sink database setting is rendered from attacker-controlled event fields, an attacker can inject SQL syntax into the generated INSERT query and redirect writes to unintended ClickHouse tables accessible to the Vector credential.\n\n### Details\nThe ClickHouse sink allows both table and database to be configured as templates. During partitioning, event data is rendered into the database and table values. The HTTP query builder then constructs INSERT INTO \"{database}\".\"{table}\" FORMAT ... but only escapes quotes in table, leaving database unescaped. URL encoding the HTTP query parameter does not neutralize SQL syntax after ClickHouse decodes the request.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-39196.\n3. Confirm the security result: A configuration such as database = \"{{ target_db }}\" and table = \"safe_table\" can be driven with target_db set to prod\".\"admin_logs\" FORMAT JSONEachRow -- . The resulting query changes the target from the configured table to prod.admin_logs if the target table schema and privileges permit it.\n\n### Impact\nIntegrity impact against downstream ClickHouse data. The demonstrated impact is attacker-controlled alteration of the INSERT target table and log or audit data poisoning, subject to sink configuration and ClickHouse permissions.\n\n## Remediation\nEscape or quote database identifiers using the same or stronger rules as table identifiers, or avoid SQL string construction from rendered templates. Consider validating rendered database and table identifiers against an allowlist.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:31.000000Z"} {"uuid": "acb837cb-a120-4f5f-9bb1-a64c20ccea60", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39196", "type": "seen", "source": "https://gist.github.com/pyuysig/423b15c69e3cd851c1e24c1312a0551a", "content": "# Vulnerability Report: CVE-2026-39196 - Vector - SQL injection in ClickHouse sink database template handling\n\n## Vulnerability Summary\nDatadog Vector 0.54.0 contains a SQL injection issue in the ClickHouse sink query construction path. When the clickhouse sink database setting is rendered from attacker-controlled event fields, an attacker can inject SQL syntax into the generated INSERT query and redirect writes to unintended ClickHouse tables accessible to the Vector credential.\n\n## Affected Product\n- **Vendor**: Datadog, Inc.\n- **Product**: Vector\n- **Version**: 0.54.0\n- **Vulnerable Component**: src/sinks/clickhouse/config.rs, src/sinks/clickhouse/sink.rs, src/sinks/clickhouse/service.rs, KeyPartitioner::partition, set_uri_query\n\n## Vulnerability Details\n- **Vulnerability Type**: SQL Injection\n- **Weakness**: CWE-89\n- **Attack Conditions**: Remote. The attacker must be able to submit events into a Vector pipeline whose ClickHouse sink uses a dynamic database template derived from attacker-controlled event fields.\n\n## Report Body\n\n### Summary\nDatadog Vector 0.54.0 contains a SQL injection issue in the ClickHouse sink query construction path. When the clickhouse sink database setting is rendered from attacker-controlled event fields, an attacker can inject SQL syntax into the generated INSERT query and redirect writes to unintended ClickHouse tables accessible to the Vector credential.\n\n### Details\nThe ClickHouse sink allows both table and database to be configured as templates. During partitioning, event data is rendered into the database and table values. The HTTP query builder then constructs INSERT INTO \"{database}\".\"{table}\" FORMAT ... but only escapes quotes in table, leaving database unescaped. URL encoding the HTTP query parameter does not neutralize SQL syntax after ClickHouse decodes the request.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-39196.\n3. Confirm the security result: A configuration such as database = \"{{ target_db }}\" and table = \"safe_table\" can be driven with target_db set to prod\".\"admin_logs\" FORMAT JSONEachRow -- . The resulting query changes the target from the configured table to prod.admin_logs if the target table schema and privileges permit it.\n\n### Impact\nIntegrity impact against downstream ClickHouse data. The demonstrated impact is attacker-controlled alteration of the INSERT target table and log or audit data poisoning, subject to sink configuration and ClickHouse permissions.\n\n## Remediation\nEscape or quote database identifiers using the same or stronger rules as table identifiers, or avoid SQL string construction from rendered templates. Consider validating rendered database and table identifiers against an allowlist.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:31.000000Z"} https://vulnerability.circl.lu/sighting/acb837cb-a120-4f5f-9bb1-a64c20ccea60/export Sat, 13 Jun 2026 12:45:31 +0000 https://vulnerability.circl.lu/sighting/b8f7ac11-58ba-44ba-a573-8e7cb7afcd6b/export {"uuid": "b8f7ac11-58ba-44ba-a573-8e7cb7afcd6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39197", "type": "seen", "source": "https://gist.github.com/pyuysig/221e90dd598ab3f3c3100ae59db8e8d4", "content": "# Vulnerability Report: CVE-2026-39197 - Vector - HTTP and gRPC ingest body buffering can cause memory exhaustion\n\n## Vulnerability Summary\nVector 0.54.0 contains missing inbound size controls in several HTTP and gRPC ingest paths. A remote attacker can submit an oversized request body or highly compressed payload that is fully buffered or decompressed before an effective size limit is enforced, leading to memory exhaustion and denial of service.\n\n## Affected Product\n- **Vendor**: Vector Contributors\n- **Product**: Vector\n- **Version**: 0.54.0\n- **Vulnerable Component**: src/sources/util/http/prelude.rs, src/sources/util/http/encoding.rs, src/sources/opentelemetry/http.rs, src/sources/splunk_hec/mod.rs, src/sources/util/grpc/decompression.rs, src/sources/vector/mod.rs, src/sources/opentelemetry/config.rs\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error / Algorithmic Complexity\n- **Weakness**: CWE-400, CWE-770\n- **Attack Conditions**: Remote. The attacker must be able to reach an enabled Vector HTTP or gRPC ingest endpoint; compressed-payload variants depend on the relevant content encoding or gRPC compression path being enabled.\n\n## Report Body\n\n### Summary\nVector 0.54.0 contains missing inbound size controls in several HTTP and gRPC ingest paths. A remote attacker can submit an oversized request body or highly compressed payload that is fully buffered or decompressed before an effective size limit is enforced, leading to memory exhaustion and denial of service.\n\n### Details\nThe affected paths buffer HTTP request bodies or inflate compressed data into memory before enforcing a practical application-level size ceiling. The gRPC decompression layer disables tonic decode-size protection and only performs size checks after decompression.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-39197.\n3. Confirm the security result: Sending an oversized HTTP body, a highly compressed HTTP payload, or a large compressed gRPC message causes attacker-controlled memory growth before rejection, producing a repeatable denial-of-service condition.\n\n### Impact\nRemote denial of service through process memory exhaustion, crash, or restart loops on enabled ingest endpoints.\n\n## Remediation\nApply maximum body and decompressed-output limits before allocation and decompression. Preserve framework decode limits unless an equivalent pre-decompression limit is installed.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:32.000000Z"} {"uuid": "b8f7ac11-58ba-44ba-a573-8e7cb7afcd6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39197", "type": "seen", "source": "https://gist.github.com/pyuysig/221e90dd598ab3f3c3100ae59db8e8d4", "content": "# Vulnerability Report: CVE-2026-39197 - Vector - HTTP and gRPC ingest body buffering can cause memory exhaustion\n\n## Vulnerability Summary\nVector 0.54.0 contains missing inbound size controls in several HTTP and gRPC ingest paths. A remote attacker can submit an oversized request body or highly compressed payload that is fully buffered or decompressed before an effective size limit is enforced, leading to memory exhaustion and denial of service.\n\n## Affected Product\n- **Vendor**: Vector Contributors\n- **Product**: Vector\n- **Version**: 0.54.0\n- **Vulnerable Component**: src/sources/util/http/prelude.rs, src/sources/util/http/encoding.rs, src/sources/opentelemetry/http.rs, src/sources/splunk_hec/mod.rs, src/sources/util/grpc/decompression.rs, src/sources/vector/mod.rs, src/sources/opentelemetry/config.rs\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error / Algorithmic Complexity\n- **Weakness**: CWE-400, CWE-770\n- **Attack Conditions**: Remote. The attacker must be able to reach an enabled Vector HTTP or gRPC ingest endpoint; compressed-payload variants depend on the relevant content encoding or gRPC compression path being enabled.\n\n## Report Body\n\n### Summary\nVector 0.54.0 contains missing inbound size controls in several HTTP and gRPC ingest paths. A remote attacker can submit an oversized request body or highly compressed payload that is fully buffered or decompressed before an effective size limit is enforced, leading to memory exhaustion and denial of service.\n\n### Details\nThe affected paths buffer HTTP request bodies or inflate compressed data into memory before enforcing a practical application-level size ceiling. The gRPC decompression layer disables tonic decode-size protection and only performs size checks after decompression.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-39197.\n3. Confirm the security result: Sending an oversized HTTP body, a highly compressed HTTP payload, or a large compressed gRPC message causes attacker-controlled memory growth before rejection, producing a repeatable denial-of-service condition.\n\n### Impact\nRemote denial of service through process memory exhaustion, crash, or restart loops on enabled ingest endpoints.\n\n## Remediation\nApply maximum body and decompressed-output limits before allocation and decompression. Preserve framework decode limits unless an equivalent pre-decompression limit is installed.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:32.000000Z"} https://vulnerability.circl.lu/sighting/b8f7ac11-58ba-44ba-a573-8e7cb7afcd6b/export Sat, 13 Jun 2026 12:45:32 +0000