Total
18 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-1537 | 1 Microsoft | 5 Directx, Windows 2000, Windows 2003 Server and 2 more | 2026-05-21 | 9.3 HIGH | 8.8 HIGH |
| Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability." | |||||
| CVE-2026-43895 | 1 Jqlang | 1 Jq | 2026-05-13 | N/A | 4.4 MEDIUM |
| jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens. | |||||
| CVE-2026-41256 | 1 Jqlang | 1 Jq | 2026-05-13 | N/A | 5.5 MEDIUM |
| jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed. | |||||
| CVE-2026-23863 | 1 Whatsapp | 1 Whatsapp | 2026-05-11 | N/A | 6.5 MEDIUM |
| An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild. | |||||
| CVE-2026-43859 | 2026-05-05 | N/A | 3.7 LOW | ||
| mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. | |||||
| CVE-2026-43861 | 2026-05-05 | N/A | 3.7 LOW | ||
| mutt before 2.3.2 does not check for '\0' in url_pct_decode. | |||||
| CVE-2025-14388 | 2026-04-15 | N/A | 9.8 CRITICAL | ||
| The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path. | |||||
| CVE-2025-9648 | 2026-04-15 | N/A | N/A | ||
| A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request containing a null byte in the payload, the server enters an infinite loop during form data parsing. Multiple malicious requests will result in complete CPU exhaustion and render the service unresponsive to further requests. This issue was fixed in commit 782e189. This issue affects only the library, standalone executable pre-built by vendor is not affected. | |||||
| CVE-2025-61985 | 2026-04-15 | N/A | 3.6 LOW | ||
| ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. | |||||
| CVE-2025-1936 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 7.3 HIGH |
| jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. | |||||
| CVE-2026-4359 | 1 Mongodb | 1 C Driver | 2026-04-02 | N/A | 2.0 LOW |
| A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver. | |||||
| CVE-2026-33191 | 1 Free5gc | 1 Udm | 2026-03-23 | N/A | 8.6 HIGH |
| Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2. | |||||
| CVE-2026-28540 | 1 Huawei | 1 Harmonyos | 2026-03-05 | N/A | 4.0 MEDIUM |
| Out-of-bounds character read vulnerability in Bluetooth. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-66263 | 1 Dbbroadcast | 44 Mozart Dds Next 100, Mozart Dds Next 1000, Mozart Dds Next 1000 Firmware and 41 more | 2025-12-03 | N/A | 7.5 HIGH |
| Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user. | |||||
| CVE-2025-47812 | 1 Wftpserver | 1 Wing Ftp Server | 2025-11-05 | N/A | 10.0 CRITICAL |
| In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts. | |||||
| CVE-2024-9026 | 1 Php | 1 Php | 2025-11-03 | N/A | 3.3 LOW |
| In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability. | |||||
| CVE-2025-55113 | 1 Bmc | 1 Control-m\/agent | 2025-10-10 | N/A | 9.0 CRITICAL |
| If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate. | |||||
| CVE-2024-10921 | 1 Mongodb | 1 Mongodb | 2025-10-01 | N/A | 6.8 MEDIUM |
| An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2. | |||||