545 matches found
MantisBT 安全漏洞
MantisBT is a set of web-based open-source defect tracking systems developed by the MantisBT team. This system provides project management and defect tracking services through web-based operations. Versions 2.28.0 and 2.28.1 of MantisBT contain security vulnerabilities. These vulnerabilities stem...
CVE-2026-44377
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates and Documents. The application unsafely evaluates user-supplied input directly through the Smarty templat...
MAL-2026-3646 Malicious code in erslove (npm)
erslove is a typosquatting package impersonating resolve, the module resolution library implementing require.resolve semantics. The package bundles the legitimate resolve source and test fixtures to appear functional while hiding a credential-theft payload in index1.js, executed at install time v...
EUVD-2026-27233
An issue was discovered in the Shared Account Synchronization component of PaperCut MF version 25.0.4. The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with...
Linux Distros Unpatched Vulnerability : CVE-2013-0266
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the puppetlabs-cinder module, as used in PackStack. This vulnerability is due to incorrect file permissions, specifically world-readable...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained a security vulnerability. This vulnerability stemmed from storing the Nostr privateKey in plain text within the configuration files. It was exploited through a call...
CVE-2026-41332
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GITTEMPLATEDIR and AWSCONFIGFILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files ...
CVE-2025-61260
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP Model Context Protocol configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads...
CVE-2025-61260
The CVE-2025-61260 issue affects the OpenAI Codex CLI, specifically versions prior to 0.23.0. The root cause is improper handling of repository-local configuration files (notably .env and .codex/config.toml) that are loaded automatically when the codex command is executed in a malicious or compro...
CVE-2021-47960
A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web pag...
systemd 安全漏洞
Systemd is a Linux-based system and service manager developed by Lennart Poettering of Germany. This product is compatible with SysV and LSB startup scripts, and it provides a framework for representing dependencies between system services. Prior to version 260, there was a security vulnerability...
Malicious code in sjs-biginteger (npm)
sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2...
Command Injection
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
[SECURITY] Fedora 43 Update: corosync-3.1.10-2.fc43
This package contains the Corosync Cluster Engine Executive, several default APIs and libraries, default configuration files, and an init script...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the importConfig process. An attacker can execute arbitrary code on the server by importing a crafted configuration file containing malicious paths. Details A Directory Traversal attack also known as path travers...
CVE-2025-36051
IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user...
CVE-2026-32297
The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including configuration files or system binaries. Modified configuration files or system binaries could allow an attacker to take complete control of a vulnerable system...
CVE-2026-30976
Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files containing API keys and database credentials, Windows...
CVE-2025-60949
CVE-2025-60949 affects Census CSWeb. In version 8.0.1, the path app/config can be exposed over HTTP in some deployments, allowing a remote, unauthenticated attacker to request configuration files and obtain leaked secrets. Impact is described in CVE records as high confidentiality/integrity risks...
CVE-2026-32810 Halloy has insecure file permissions on credential files
Halloy is an IRC application written in Rust. In versions on \nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in 0644 on files and 0755 on directories. This allows any...