Security vulnerabilities and automated fixes for cwe 400 issues
2 posts found
A high-severity Denial of Service vulnerability (CVE-2026-22774) was discovered in the `devalue` package used by the exo-dashboard SvelteKit application. Attackers could craft malicious input to trigger excessive resource consumption in the devalue deserialization library, potentially taking down the web service. The fix upgrades `devalue` from version 5.5.0 to 5.6.2 in both `package.json` and `package-lock.json`.
A medium-severity vulnerability was discovered and patched in the PicoW ClockMaster firmware's MQTT client, where file import functionality lacked resource limits and the broker connection lacked authentication—allowing attackers on the same network to inject spoofed motor and LED commands. The fix introduces proper input validation, file size checks, JSON depth limits, and authenticated/encrypted MQTT connections. This case is a timely reminder that IoT firmware security requires the same rigor