A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path....
9.1CVSS
9.4AI Score
0.0004EPSS
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the deepdiff library. The library uses deepdiff.Delta objects to modify application state...
9.8CVSS
9.8AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Hidekazu Ishikawa X-T9, Hidekazu Ishikawa Lightning, themeinwp Default Mag, Out the Box Namaha, Out the Box CityLogic, Marsian i-max, Jetmonsters Emmet Lite, Macho Themes Decode, Wayneconnor Sliding Door, Out the Box Shopstar!, Modernthemesnet...
4.3CVSS
6.8AI Score
0.0005EPSS
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version v0.15.4 are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments.....
8.2CVSS
6.4AI Score
0.001EPSS
btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size...
9.8CVSS
9.3AI Score
0.002EPSS
9.8CVSS
8.9AI Score
0.003EPSS
7.8CVSS
7.4AI Score
0.001EPSS
8.6CVSS
8.5AI Score
0.002EPSS
Blockstream c-lightning through 0.10.1 allows loss of funds because of dust HTLC...
9.4CVSS
9.2AI Score
0.002EPSS
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount...
8.2CVSS
8AI Score
0.001EPSS
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node,...
5.3CVSS
5AI Score
0.001EPSS
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session...
6.3CVSS
6.3AI Score
0.001EPSS
c-lightning before 0.7.1 allows attackers to trigger loss of funds because of Incorrect Access Control. NOTE: README.md states "It can be used for testing, but it should not be used for real...
7.5CVSS
7.5AI Score
0.001EPSS