CVE-2026-27953

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

CVE-2026-27953

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

EUVD-2026-4714

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server leading to Remote Code Execution via a malicious ZIP archive...

CVE-2025-67737

AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a...

CVE-2025-67737

CVE-2025-67737 affects AzuraCast versions 0.23.1, where an API endpoint intended for internal use by sftpgo was exposed in the public HTTP API (at /api/internal/sftp-event). A user with valid SFTP credentials and knowledge of the station’s internal filesystem can craft a tailored HTTP request to ...

CVE-2025-67737 AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a...

EUVD-2025-30331

Malicious code in bioql PyPI...

EUVD-2025-24583

Malicious code in bioql PyPI...

OPENSUSE-SU-2025:15582-1 tree-sitter-ruby-0.23.1-2.1 on GA media

These are all security issues fixed in the tree-sitter-ruby-0.23.1-2.1 package on the GA media of openSUSE Tumbleweed...

CVE-2025-59344 AliasVault Vulnerable to Server-Side Request Forgery via Favicon Extraction

AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery SSRF vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows...

PT-2025-38575

Name of the Vulnerable Software and Affected Versions AliasVault API versions 0.23.0 and lower Description A server-side request forgery SSRF vulnerability exists in the favicon extraction feature. The extractor fetches a user-supplied URL, parses the returned HTML, and follows...

CVE-2025-50251

Server side request forgery SSRF vulnerability in makeplane plane 0.23.1 via the password recovery...

PT-2025-33008 · Makeplane · Makeplane

Name of the Vulnerable Software and Affected Versions: makeplane plane version 0.23.1 Description: The software contains a server side request forgery SSRF vulnerability in the password recovery functionality. Recommendations: At the moment, there is no information about a newer version that...

CVE-2025-50251

CVE-2025-50251 describes a server-side request forgery (SSRF) in Makeplane (plane) version 0.23.1, triggered via the password recovery feature. The vulnerability affects makeplane plane 0.23.1 and is classified with high impact for confidentiality and integrity, with a CVSS v3.1 base score of 9.1...

📄 Plane 0.23.1 Server-Side Request Forgery

Plane version 0.23.1 suffers from a server-side request forgery vulnerability. Exploit Title: Plane - Server side request forgery SSRF Date: 2024-01-13 Exploit Author: Saud Alenazi Vendor Homepage: https://plane.so Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1 Version:...

Vela Security Breach

Github Vela is an application open-sourced by Github in the United States. It provides an automation framework. A security vulnerability exists in Vela 0.23.1 and earlier versions, which stems from a vulnerability that allows an attacker to replace variables to bypass log masking and inject secre...

CVE-2021-29511

evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use evmcore::Memory::copylarge, the evm crate can over-allocate memory when it is not needed, making it possible for an attacker to perform...

PT-2021-18262 · Evm · Evm

Name of the Vulnerable Software and Affected Versions: evm versions prior to 0.21.1 evm versions prior to 0.23.1 evm versions prior to 0.24.1 evm versions prior to 0.25.1 evm versions prior to 0.26.1 Description: The issue is related to the execution of specific EVM opcodes that use evm...

Seth Vargo Exposure Notification Verification Server 输入验证错误漏洞

Seth Vargo exposure-notifications-verification-server is an open source application by Seth Vargo. It is the reference implementation of the Exposure Notifications Verification Server, which is part of the broader Google Exposure Notifications system. A security vulnerability in Seth Vargo Exposu...