Vulnerabilities

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group<br /> ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast<br /> -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList<br /> .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s<br /> equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. <br /> No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS <br /> limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t<br /> he issue.

A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group<br /> ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an <br /> SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields <br /> of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage — specifically by tampering with the `str_size` <br /> value read by `readString` (called from `readBinaryProperty`) — are modified, a 32-bit integer overflow can occur, causing<br /> `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term<br /> ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group<br /> ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an <br /> SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields <br /> of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector`<br /> reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro<br /> lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca<br /> tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. <br /> Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group<br /> ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on<br /> going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token <br /> delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i<br /> .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed <br /> sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),<br /> string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat<br /> es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s<br /> o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,<br /> delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n<br /> umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal<br /> header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi<br /> ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p<br /> atch the issue.

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group<br /> ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un<br /> authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft<br /> ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write<br /> s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (<br /> RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation).

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2.

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name &amp; Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name &amp; Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.

Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2.

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator&amp;#39;s browser. This occurs because the Tax Rates &amp;#39;Name&amp;#39; field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.