4.6
CVE-2026-3837 - Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escapiβ¦
3.1
CVE-2026-34067 - nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived frβ¦
5.3
CVE-2026-34066 - nimiq-blockchain: Peer-triggerable panic during history sync
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). Durβ¦
7.5
CVE-2026-34065 - nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals
nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hasβ¦
5.3
CVE-2026-34064 - nimiq-account: Vesting insufficient funds error can panic
nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub`β¦
7.5
CVE-2026-34063 - network-libp2p: Peer can crash the node by opening discovery protocol substream twice
Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer opens/β¦
4.6
CVE-2026-3673 - Frappe Framework 16.10.0 - Stored DOM XSS in Tag Pill Renderer
An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects Fraβ¦
2.1
CVE-2026-6019 - BaseCookie.js_output() does not neutralize embedded characters
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie β¦
5.3
CVE-2026-34062 - Nimiq has Allocation of Resources Without Limits or Throttling in its libp2p request/response
nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_mβ¦
9.6
CVE-2026-33471 - nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot lookup. Prior to version 1.3.0, if an attacker can β¦