178 matches found
CVE-2026-0573
CVE-2026-0573 affects GitHub Enterprise Server. The repository_pages API insecurely follows HTTP redirects when fetching artifact URLs, preserving the Authorization header containing a privileged JWT. An authenticated user could redirect requests to an attacker-controlled domain, exfiltrate the A...
PT-2026-20495
Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.19 GitHub Enterprise Server versions 3.19.2 GitHub Enterprise Server versions 3.18.4 GitHub Enterprise Server versions 3.17.10 GitHub Enterprise Server versions 3.16.13 GitHub Enterprise Server...
WordPress plugin Zarinpal Gateway for WooCommerce 访问控制错误漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...
CVE-2021-22209
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed...
CVE-2025-14524
CVE-2025-14524 affects curl: when an HTTP(S) transfer is redirected cross‑protocol to IMAP/LDAP/POP3/SMTP, the OAuth2 bearer token may be leaked to the new target. Root cause: credentials aren’t cleared for the OAuth2 bearer during redirect handling, while username/password are cleared. Several a...
GHSA-GW2X-Q739-QHCR RustFS gRPC GetMetrics deserialization panic enables remote DoS
Summary A malformed gRPC GetMetrics request causes getmetrics to unwrap failed deserialization of metrictype/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. Details - Vulnerable code: rustfs/src/storage/tonicservice.rs:1775-1782: - MetricType and...
CVE-2025-12540
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics clientID and clientsecret being stored in plaintext in the publicly visible plugin source. This can...
CURL-CVE-2025-14524 bearer token leak on cross-protocol redirect
When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host...
Petlibro Smart Pet Feeder Platform 安全漏洞
Petlibro Smart Pet Feeder Platform is a smart pet management system from Petlibro. A security vulnerability exists in Petlibro Smart Pet Feeder Platform version 1.7.31 and earlier, which stems from a flaw in OAuth token authentication that could lead to authentication bypass...
EUVD-2025-205645
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header...
GHSA-X4M5-4CW8-VC44 axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. Details The cache key is generated only from the URL, ignoring request headers like Authorization. When the server responds wit...
CVE-2025-12623
A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Toke...
Jenkins OpenShift Pipeline Plugin 安全漏洞
Jenkins OpenShift Pipeline Plugin is an open source pipeline plugin for Jenkins. A security vulnerability exists in Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier versions, which stems from an authorization token that is not encrypted and stored in the job config.xml file of the Jenkins...
EUVD-2025-34111
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, the streaming server accepts serving events for public timelines to clients using any valid authentication token, even if those tokens lack the read:statuses scope. This allow...
EUVD-2020-20330
Malware in sbrugna...
EUVD-2024-17467
Malicious code in bioql PyPI...
EUVD-2025-27606
Malicious code in bioql PyPI...
EUVD-2024-17624
Malicious code in bioql PyPI...
EUVD-2025-22553
Malicious code in bioql PyPI...
EUVD-2024-31713
Malicious code in bioql PyPI...