Security Vulnerabilities
DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the `ensureSize()` function in `@dicebear/converter` used a regex-based approach to rewrite SVG `width`/`height` attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of `<svg` before the actual SVG root element. When the SVG is subsequently rendered via `@resvg/resvg-js` on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes. In version 9.4.2, the regex-based approach has been replaced with XML-aware processing using `fast-xml-parser` to correctly identify and modify the SVG root element's attributes. Additionally, a `fitTo` constraint has been added to the `renderAsync` call as defense-in-depth, ensuring the rendered output is always bounded regardless of SVG content.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-03-24
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-24
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-24
Privilege escalation in the IPC component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-03-24
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-03-24
Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
CVSS Score
9.1
EPSS Score
0.0
Published
2026-03-24
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
CVSS Score
10.0
EPSS Score
0.0
Published
2026-03-24
Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-24
Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149 and Thunderbird < 149.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-03-24
Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-03-24