GHSA-2J22-PR5W-6GQ8 Loofah has improper detection of disallowed URIs via `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

timescaledb 代码问题漏洞

Timescaledb is an extension to the temporal database developed by Tiger Data. In versions of TimescaleDB 2.23.0 to 2.25.1, there is a code vulnerability caused by improper setting of the searchpath, which may lead to arbitrary code execution...

Deserialization of Untrusted Data

Overview cesargb/laravel-magiclink is a Create secure link for access to private data or login in Laravel without password Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the magiclinks.action database column during the deserialization process. An attacke...

EUVD-2023-27759

Malicious code in bioql PyPI...

EUVD-2022-43607

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-27154

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, t...

Fedora: Security Advisory (FEDORA-2025-fba1b24e4b)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2022-40211

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GiveWP allows Stored XSS.This issue affects GiveWP: from n/a through 2.25.1...

CVE-2025-47946

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

GHSA-5J3W-5PCR-F8HG Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact Rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these values are unsafe e.g. contain user input, this can lead to HTML attribute injection and XSS vulnerabilities. Patche...

CVE-2025-47946

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

CVE-2025-47946

Summary: CVE-2025-47946 affects Symfony UX components. Prior to 2.25.1, rendering {{ attributes }} or using methods returning a ComponentAttributes instance can output unescaped attribute values, risking HTML attribute injection and XSS. The vulnerability affects the Symfony UX Twig component and...

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

[SECURITY] Fedora 42 Update: python-spotipy-2.25.1-1.fc42

A light weight Python library for the Spotify Web API...

Fedora 41 : python-spotipy (2025-fba1b24e4b)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-fba1b24e4b advisory. update to version 2.25.1, CVE-2025-27154 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus h...

[SECURITY] Fedora 41 Update: python-spotipy-2.25.1-1.fc41

A light weight Python library for the Spotify Web API...

FreeBSD : Spotipy -- Spotipy's cache file, containing spotify auth token, is created with overly broad permissions (475d1968-f99d-11ef-b382-b0416f0c4c67)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 475d1968-f99d-11ef-b382-b0416f0c4c67 advisory. [email protected] reports: Spotipy is a lightweight Python library for the Spotify Web API...

CVE-2025-27154

CVE-2025-27154 affects Spotipy’s CacheHandler file permissions. Before version 2.25.1, the cache file is created with 644 permissions by default, exposing the Spotify auth token to other users or processes on the same machine. Version 2.25.1 tightens permissions to 600, reducing token exposure. T...

CVE-2025-27154 Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. This leads to overly...