Astra Linux - уязвимость в python-tornado

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server’s event loop for an extended period, due to the use of the HTTPHeaders.add method. This method accumulates values using string...

CVE-2026-33326

Keystone is a content management system for Node.js. Prior to version 6.5.2, field.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 field-level isFilterab...

CVE-2026-33326 @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany

Keystone is a content management system for Node.js. Prior to version 6.5.2, field.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 field-level isFilterab...

UBUNTU-CVE-2025-67725

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...

PT-2025-50883

Name of the Vulnerable Software and Affected Versions Tornado versions 6.5.2 and below Description Tornado, a Python web framework and asynchronous networking library, has an issue where the reason phrase supplied to functions like RequestHandler.set status and tornado.web.HTTPError is used witho...

CVE-2025-31954

HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see...

EUVD-2025-15725

Malicious code in bioql PyPI...

CVE-2024-45495

MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking...

CVE-2025-26621

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

CVE-2025-26621 OpenCTI vulnerable to Denial of Service through web hook

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

CVE-2025-26621

OpenCTI vulnerability CVE-2025-26621: Prior to version 6.5.2, users with the capability to manage customizations can edit a webhook that executes JavaScript code. This can be abused to trigger a denial-of-service via prototype pollution, rendering the Node.js server running the OpenCTI frontend u...

CVE-2025-26621 OpenCTI vulnerable to Denial of Service through web hook

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

PT-2025-22013 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: OpenCTI versions prior to 6.5.2 Description: The issue affects an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability to manage customizations can edit a...

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.

...

CVE-2025-24566

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Tomáš Groulík Intro Tour Tutorial DeepPresentation dp-intro-tours allows Reflected XSS.This issue affects Intro Tour Tutorial DeepPresentation: from n/a through = 6.5.2...

PT-2025-7023 · Unknown · Deeppresentation

Name of the Vulnerable Software and Affected Versions: Intro Tour Tutorial DeepPresentation versions n/a through 6.5.2 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Reflected XSS attacks...

PT-2024-31662 · Unknown · Fieldserver Gateway

Name of the Vulnerable Software and Affected Versions: MSA FieldServer Gateway versions 5.0.0 through 6.5.2 Description: The issue allows cross-origin WebSocket hijacking. This means that an attacker can potentially hijack WebSocket connections from a different origin, which could lead to...

PT-2024-35467 · Unknown · Wp-Affiliate-Platform

Name of the Vulnerable Software and Affected Versions: wp-affiliate-platform versions prior to 6.5.2 Description: The issue concerns a lack of CSRF check when deleting affiliates, which could allow attackers to make a logged-in user change or delete them via a CSRF attack. Recommendations: For...

BIT-WORDPRESS-MULTISITE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

Fedora 39 : wordpress (2024-8ffb095abb)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-8ffb095abb advisory. Upstream annoucement: WordPress 6.5.2 Maintenance and Security Release Security updates included in this release A cross-site scripting XSS vulnerability...