GHSA-5X9H-93GP-CHPJ Apache Wicket has a Cross-site Scripting issue

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

CVE-2026-40010

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...

CVE-2026-43646

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

Apache Wicket 信息泄露漏洞

Apache Wicket is an open-source, lightweight, component-based framework developed by the Apache Foundation in the United States. It provides an object-oriented approach for developing web-based dynamic UI applications. Versions of Apache Wicket from 8.0.0 to 8.17.0, from 9.0.0 to 9.22.0, and from...

PT-2026-37383

Name of the Vulnerable Software and Affected Versions Apache Wicket versions 8.0.0 through 8.17.0 Apache Wicket version 9.0.0 Apache Wicket versions 10.0.0 through 10.8.0 Description Improper neutralization of input during web page generation allows for Cross-site Scripting XSS, a flaw where an...

EUVD-2025-25355

Malicious code in bioql PyPI...

CVE-2025-10715

A security flaw has been discovered in APEUni PTE Exam Practice App up to 10.8.0 on Android. The impacted element is an unknown function of the file AndroidManifest.xml of the component com.apeedication. The manipulation results in improper export of android application components. The attack...

CVE-2025-55746 Directus allows unauthenticated file upload and file modification due to lacking input sanitization

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents without changes being applied to the files'...

CVE-2025-55746 Directus allows unauthenticated file upload and file modification due to lacking input sanitization

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents without changes being applied to the files'...

Mattermost allows unauthorized channel member management through playbook runs

Mattermost versions 10.5.x = 10.5.5, 9.11.x = 9.11.15, 10.8.x = 10.8.0, 10.7.x = 10.7.2, 10.6.x = 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public...

CVE-2024-35220

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...

Jellyfin 安全漏洞

Jellyfin is a free software media system from Jellyfin Open Source. It allows you to control the management and streaming of media. It is an alternative to the proprietary Emby and Plex, and can serve media from dedicated servers to end-user devices through multiple applications. A security...

CVE-2024-37694

Rejected reason: This submission has been rejected by the CNA of record. Authentication is user configurable as described in our documentation. https://enterprise.arcgis.com/en/server/latest/administer/windows/configuring-arcgis-server-security.htm...

CVE-2024-37694

...

CVE-2024-35220 @fastify/session reuses destroyed session cookie

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...

CVE-2024-35220 @fastify/session reuses destroyed session cookie

@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...

fastify session 安全漏洞

fastify session is an open source plugin for fastify. A security vulnerability exists in fastify session version 10.8.0 and earlier that stems from the reuse of a corrupted session cookie...

PT-2023-30776 · Umbraco · Umbraco

Name of the Vulnerable Software and Affected Versions: Umbraco versions 10.0.0 through 10.8.0 Umbraco versions 10.8.1 is not affected, but versions prior to 12.3.4 are affected, so the correct range is: Umbraco versions 10.8.2 through 12.3.3 Description: The issue is a cross-site scripting XSS...

Jellyfin 路径遍历漏洞

Jellyfin is a freeware media system. It allows you to control the management and streaming of media. It is an alternative to the proprietary Emby and Plex and can serve media from a dedicated server to end-user devices through multiple applications. A path traversal vulnerability exists in Jellyf...

Jellyfin 跨站脚本漏洞

Jellyfin is a freeware media system. It allows you to control the management and streaming of media. It is an alternative to the proprietary Emby and Plex, and can serve media from a dedicated server to end-user devices through multiple applications. A security vulnerability exists in Jellyfin...