Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the HideSecretData function that fails to mask predictedLive argument for --server-side-diff command. An attacker can extract last-applied-configuration which may...

EUVD-2026-24047

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internaldwacompressor.h:1040 performs chan-width chan-bytesperelement in...

CVE-2026-40250 OpenEXR has integer overflow in DWA decoder outBufferEnd pointer arithmetic (missed variant of CVE-2026-34589)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internaldwacompressor.h:1040 performs chan-width chan-bytesperelement in...

CVE-2026-40244

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internaldwacompressor.h:1722 performs curc-width curc-height in int32...

CVE-2026-21628

The CVE-2026-21628 entry concerns the Astroid Framework integration with Joomla. A vulnerable, improperly secured file management feature allows unauthenticated users to upload dangerous data types, enabling remote code execution. Affected: Astroid Framework for Joomla versions 2.0.0 through 3.3....

CVE-2026-25739

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the...

CVE-2026-25739

CVE-2026-25739 is reserved with no public details in the Initial document, but a connected advisory (GHSA-JXC4-54G3-J7VP) indicates a Cross‑Site Scripting (XSS) vulnerability in Indico related to uploading materials. The issue occurs when certain file types are uploaded as materials, enabling XSS...

CVE-2026-25739 Indico affected by Cross-Site-Scripting via material uploads

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the...

CVE-2026-25739 Indico affected by Cross-Site-Scripting via material uploads

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the...

CVE-2026-25738

Indico SSRF (CVE-2026-25738) affects Indico versions before 3.3.10. Outgoing requests to user-provided URLs can access sensitive targets (e.g., localhost, cloud metadata). Impact is limited by access controls (only event organizers can see returned data); non-AWS IPs are less affected. remediatio...

CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...

CVE-2026-25738 Indico has Server-Side Request Forgery (SSRF) in multiple places

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of...

Indico 代码问题漏洞

Indico is an open-source event management system with rich functionality. Versions of Indico prior to 3.3.10 had code-related vulnerabilities. These vulnerabilities stemmed from improper handling of URLs provided by users, which could lead to server-side request forgery attacks...

Indico 跨站脚本漏洞

Indico is an open-source event management system with rich functionality. Versions of Indico prior to 3.3.10 had a cross-site scripting vulnerability. This vulnerability stemmed from improper handling of certain file types during upload, which could lead to cross-site scripting attacks...

Indico Affected by Cross-Site-Scripting via material uploads

Impact There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials. Patches You should to update to Indico 3.3.10 as soon as possible. See the docs for instructions on how to update. Please be aware that to apply the fix itself updating is sufficient, but to benef...

GHSA-JXC4-54G3-J7VP Indico Affected by Cross-Site-Scripting via material uploads

Impact There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials. Patches You should to update to Indico 3.3.10 as soon as possible. See the docs for instructions on how to update. Please be aware that to apply the fix itself updating is sufficient, but to benef...

Server-side Request Forgery (SSRF)

Overview indico is a conference lifecycle management and meeting/lecture scheduling tool. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in isprivateurl in util/network.py. A user can access internal network resources or sensitive endpoints by supplying...

GHSA-F47C-3C5W-V7P4 Indico has Server-Side Request Forgery (SSRF) in multiple places

Impact Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints. Patches You should to update to Indic...

Indico has Server-Side Request Forgery (SSRF) in multiple places

Impact Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints. Patches You should to update to Indic...

PT-2026-20327

Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.3.10 Description Indico, an event management system, is susceptible to server-side request forgery SSRF. The system makes outgoing requests to URLs provided by users. While this functionality is intentional, it could...