Regular Expression without Anchors

Overview Affected versions of this package are vulnerable to Regular Expression without Anchors in the parseModelURL function in Ollama Engine startup probe that allows shell metacharacters like ;, |, $, and backticks. An attacker can execute arbitrary operating system commands by supplying a...

CVE-2026-34940

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript function in internal/modelcontroller/engineollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components ref, modelParam. This shell command is executed via bash ...

CVE-2026-23630

Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting XSS. The frontend can render attacker-controlled Mermaid diagrams using mermaid.render, then inject the returned SVG/HT...

CVE-2026-23630

CVE-2026-23630 affects Docmost: versions 0.3.0–0.23.2 are vulnerable to stored XSS in Mermaid diagram rendering. attacker-controlled Mermaid diagrams rendered via mermaid.render() are injected into the DOM with dangerouslySetInnerHTML, and per-diagram %%{init}%% directives can override securityLe...

CVE-2026-23630

Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting XSS. The frontend can render attacker-controlled Mermaid diagrams using mermaid.render, then inject the returned SVG/HT...

SUSE CVE-2024-41260

A static initialization vector IV in the encrypt function of netbird management's service from v0.23.2 to v0.29.1 allows attackers to obtain sensitive information email addresses when in possession of the audit events database...

CVE-2025-68696 httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd...

PT-2025-52864

Name of the Vulnerable Software and Affected Versions httparty versions prior to 0.23.2 Description httparty is susceptible to a Server-Side Request Forgery SSRF condition in versions 0.23.2 and earlier. This issue could lead to the disclosure of API keys and enable unauthorized requests to...

CVE-2025-67737

CVE-2025-67737 affects AzuraCast versions 0.23.1, where an API endpoint intended for internal use by sftpgo was exposed in the public HTTP API (at /api/internal/sftp-event). A user with valid SFTP credentials and knowledge of the station’s internal filesystem can craft a tailored HTTP request to ...

CVE-2025-67737 AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a...

PT-2025-50896

Name of the Vulnerable Software and Affected Versions AzuraCast versions 0.23.1 Description AzuraCast is a self-hosted, all-in-one web radio management suite. Version 0.23.1 mistakenly includes an API endpoint intended for internal use by the SFTP software sftpgo, exposing it to the public-facing...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the api/internal/sftp-event endpoint. An attacker can remove database records associated with media files by crafting custom HTTP requests that simulate internal SFTP events, provided they have knowledge of vali...

EUVD-2022-7197

Malicious code in bioql PyPI...

PlexRipper 安全漏洞

PlexRipper is a cross-platform Plex media downloader from the PlexRipper open source. A security vulnerability exists in PlexRipper version 0.23.2, which stems from an open CORS policy that allows an attacker to obtain sensitive information by giving users access to their domain name...

CVE-2024-41260

A static initialization vector IV in the encrypt function of netbird management's service from v0.23.2 to v0.29.1 allows attackers to obtain sensitive information email addresses when in possession of the audit events database...

PT-2024-22351 · Vela · Vela

Name of the Vulnerable Software and Affected Versions: Vela versions prior to 0.23.2 Description: Vela pipelines can use variable substitution combined with insensitive fields like parameters, image, and entrypoint to inject secrets into a plugin/image and bypass log masking, exposing secrets...

btcd mishandles witness size checking

btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking. Specific Go Packages Affected github.com/btcsuite/btcd/wire...

CVE-2022-44797

btcd before 0.23.2, as used in Lightning Labs lnd before 0.15.2-beta and other Bitcoin-related products, mishandles witness size checking...

GHSA-2VP2-8M5J-4RJX cnlh nps vulnerable to file overwrite by local user

lib/install/install.go in cnlh nps prior to 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user...

[SECURITY] Fedora 34 Update: rust-libsqlite3-sys-0.23.2-1.fc34

Native bindings to the libsqlite3 library...