CL-SEC Advisory Database

Security vulnerabilities in the Common Lisp ecosystem

1
Critical
21
High
19
Medium
15
Low
55
Fixed
1
Open
61
Total
ID Project Severity CVSS Title Status Published
CL-SEC-2026-0211 cl-sanitize-html MEDIUM 4.1 Backslash protocol-relative URL bypass in cl-sanitize-html allows resource loading from arbitrary domains Fixed 2026-06-22
CL-SEC-2026-0208 ag-gRPC HIGH 7.5 Unbounded request buffering in HTTP/2 server (no max-receive-message-size) Fixed 2026-06-21
CL-SEC-2026-0209 ag-gRPC HIGH 7.5 HTTP/2 SETTINGS_MAX_FRAME_SIZE not enforced on inbound frames Fixed 2026-06-21
CL-SEC-2026-0206 pure-tls LOW 5.3 Out-of-bounds read parsing attacker-supplied ECHConfig causes uncaught error (remote DoS) in pure-tls Fixed 2026-06-21
CL-SEC-2026-0207 pure-tls LOW 4.2 ExtendedKeyUsage not enforced during certificate chain verification in pure-tls Fixed 2026-06-21
CL-SEC-2026-0210 ag-gRPC LOW 3.7 gRPC client crash on malformed percent-encoded grpc-message trailer Fixed 2026-06-21
CL-SEC-2026-0203 ag-proto HIGH 7.5 Unbounded recursion in protobuf nested message deserialization Fixed 2026-04-20
CL-SEC-2026-0204 ag-grpc HIGH 7.5 No decompressed size limit in gRPC message decompression (gzip bomb) Fixed 2026-04-20
CL-SEC-2026-0201 pure-tls HIGH 7.4 Certificate chain trust anchor verified by issuer name only, not signature, in pure-tls Fixed 2026-04-18
CL-SEC-2026-0202 pure-tls HIGH 5.9 Constant-time comparison returns equal for inputs differing by a multiple of 256 bytes in length Fixed 2026-04-18
CL-SEC-2026-0054 fast-http HIGH 7.5 Unbounded chunk size hex parsing enables memory and CPU exhaustion Fixed 2026-04-07
CL-SEC-2026-0004 dexador HIGH 7.4 Authentication credentials forwarded on cross-origin HTTP redirect Fixed 2026-04-07
CL-SEC-2026-0051 fast-http HIGH 7.4 HTTP request smuggling via duplicate Content-Length headers (last wins) Fixed 2026-04-07
CL-SEC-2026-0052 fast-http HIGH 7.4 HTTP request smuggling via Transfer-Encoding / Content-Length conflict not rejected Fixed 2026-04-07
CL-SEC-2026-0045 cl-cookie MEDIUM 6.5 No domain validation at cookie storage time enables cookie jar poisoning Fixed 2026-04-07
CL-SEC-2026-0053 fast-http MEDIUM 5.9 Transfer-Encoding obfuscation via trailing whitespace enables TE-TE request smuggling Fixed 2026-04-07
CL-SEC-2026-0197 ag-proto HIGH 7.5 Unbounded memory allocation in protobuf length-delimited field decoding Fixed 2026-04-03
CL-SEC-2026-0130 cl-sanitize-html CRITICAL 9.3 Missing SVG/MathML foreign content handling enables XSS in cl-sanitize-html Fixed 2026-03-31
CL-SEC-2026-0019 lack HIGH 8.1 Session fixation via client-supplied session ID reuse Fixed 2026-03-31
CL-SEC-2026-0020 lack HIGH 8.1 Unsafe deserialization in session stores escalates data injection to code execution Fixed 2026-03-31
CL-SEC-2026-0118 cl-chat HIGH 8.0 Stored cross-site scripting via unsanitized WebSocket messages in cl-chat Fixed 2026-03-31
CL-SEC-2026-0001 cl-completions HIGH 7.5 Gemini API key transmitted as URL query parameter Fixed 2026-03-31
CL-SEC-2026-0116 cl-chat HIGH 7.5 Gemini API key leaked in URL query parameter in cl-chat Fixed 2026-03-31
CL-SEC-2026-0124 cl-nats HIGH 7.5 Unbounded memory allocation from malicious server MSG byte counts in cl-nats Fixed 2026-03-31
CL-SEC-2026-0160 puri HIGH 7.5 Denial of service via read-from-string on URI port number Fixed 2026-03-31
CL-SEC-2026-0003 ag-gRPC HIGH 7.4 TLS certificate verification disabled by default in gRPC client Fixed 2026-03-31
CL-SEC-2026-0139 cl-x509 HIGH 7.4 No minimum RSA key size enforcement in cl-x509 Fixed 2026-03-31
CL-SEC-2026-0135 cl-selfupdate HIGH 7.0 Predictable temporary directory enables symlink and race attacks in cl-selfupdate Fixed 2026-03-31
CL-SEC-2026-0112 pure-tls MEDIUM 6.8 Missing TLS 1.3 downgrade sentinel check in pure-tls client handshake Fixed 2026-03-31
CL-SEC-2026-0120 cl-chat MEDIUM 6.8 Session cookie exposed in client-side JavaScript in cl-chat Fixed 2026-03-31
CL-SEC-2026-0123 cl-nats MEDIUM 6.8 NATS protocol injection via unsanitized subject and reply-to fields in cl-nats Fixed 2026-03-31
CL-SEC-2026-0147 ocicl MEDIUM 6.8 No client-side verification of downloaded package integrity in ocicl Open 2026-03-31
CL-SEC-2026-0134 cl-selfupdate MEDIUM 6.6 Checksum validation optional and silently skipped in cl-selfupdate Fixed 2026-03-31
CL-SEC-2026-0136 cl-selfupdate MEDIUM 6.6 No TLS certificate verification enforcement in cl-selfupdate Fixed 2026-03-31
CL-SEC-2026-0137 cl-selfupdate MEDIUM 6.5 Archive path traversal in tar and zip extraction in cl-selfupdate Fixed 2026-03-31
CL-SEC-2026-0131 cl-sanitize-html MEDIUM 6.1 CSS comment bypass in style attribute sanitization in cl-sanitize-html Fixed 2026-03-31
CL-SEC-2026-0133 cl-sanitize-html MEDIUM 6.1 Incomplete dangerous tag list allows content promotion from dangerous contexts in cl-sanitize-html Fixed 2026-03-31
CL-SEC-2026-0121 cl-nats MEDIUM 5.9 Credentials sent in cleartext over non-TLS connections in cl-nats Fixed 2026-03-31
CL-SEC-2026-0002 cl-completions MEDIUM 5.5 Full request URI including credentials leaked in error messages Fixed 2026-03-31
CL-SEC-2026-0140 cl-x509 MEDIUM 5.3 No validation of certificate validity period in cl-x509 Fixed 2026-03-31
CL-SEC-2026-0145 cl-x509 MEDIUM 5.3 KeyUsage unused-bits calculation incorrect for multi-byte bit strings in cl-x509 Fixed 2026-03-31
CL-SEC-2026-0113 pure-tls MEDIUM 4.8 Missing ServerHello legacy_session_id_echo validation in pure-tls Fixed 2026-03-31
CL-SEC-2026-0129 cl-sanitize-html MEDIUM 4.7 Double-encoded entity reversal enables XSS via output corruption in cl-sanitize-html Fixed 2026-03-31
CL-SEC-2026-0132 cl-sanitize-html MEDIUM 4.1 Protocol-relative URL bypass in cl-sanitize-html allows resource loading from arbitrary domains Fixed 2026-03-31
CL-SEC-2026-0114 pure-tls LOW 3.7 Non-cryptographic PRNG used for ticket age obfuscation in pure-tls Fixed 2026-03-31
CL-SEC-2026-0119 cl-chat LOW 3.7 WebSocket and HTTP servers lack TLS encryption in cl-chat Fixed 2026-03-31
CL-SEC-2026-0122 cl-nats LOW 3.7 No TLS certificate verification configuration in cl-nats Fixed 2026-03-31
CL-SEC-2026-0138 cl-selfupdate LOW 3.7 No protection against version downgrade attacks in cl-selfupdate Fixed 2026-03-31
CL-SEC-2026-0141 cl-x509 LOW 3.7 No CN/subject field validation allows null-byte injection in cl-x509 Fixed 2026-03-31
CL-SEC-2026-0142 cl-x509 LOW 3.7 SAN DNS names not validated allowing wildcard and null-byte injection in cl-x509 Fixed 2026-03-31
CL-SEC-2026-0126 cl-nats LOW 3.1 Credential leakage in error messages and conditions in cl-nats Fixed 2026-03-31
CL-SEC-2026-0128 cl-nats LOW 3.1 Header injection via CRLF in serialized NATS headers in cl-nats Fixed 2026-03-31
CL-SEC-2026-0127 cl-nats LOW 2.6 Server-supplied connect_urls enable SSRF with credential forwarding in cl-nats Fixed 2026-03-31
CL-SEC-2026-0115 pure-tls LOW 2.5 Secret key material not zeroized after use in pure-tls Fixed 2026-03-31
CL-SEC-2026-0125 cl-nats LOW 2.5 Credentials stored in plaintext in connection struct in cl-nats Fixed 2026-03-31
CL-SEC-2026-0143 cl-x509 LOW 2.5 Private key material not zeroized in memory in cl-x509 Fixed 2026-03-31
CL-SEC-2026-0117 cl-chat INFORMATIONAL 0.0 API keys leaked via error messages and debug logging in cl-chat Withdrawn 2026-03-31
CL-SEC-2026-0144 cl-x509 INFORMATIONAL 0.0 No BasicConstraints enforcement for signing keys in cl-x509 Withdrawn 2026-03-31
CL-SEC-2026-0146 ocicl INFORMATIONAL 0.0 Shell command injection via unsanitized file paths in ocicl setup.lisp Withdrawn 2026-03-31
CL-SEC-2026-0148 ocicl INFORMATIONAL 0.0 Untrusted search path via parent directory traversal for ocicl.csv Withdrawn 2026-03-31
CL-SEC-2026-0179 trivia INFORMATIONAL 0.0 trivia read pattern calls READ-FROM-STRING without binding *READ-EVAL* to NIL Withdrawn 2026-03-31