CVE-2026-25903

Summary: CVE-2026-25903 affects Apache NiFi 1.1.0–2.7.2, where updating configuration properties on extension components with Restricted annotation permissions bypasses some authorization checks. This can allow a user with lower privileges to modify properties for components that require higher p...

EUVD-2018-11867

Malware in sbrugna...

EUVD-2022-1659

Malicious code in bioql PyPI...

CVE-2021-35475

SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties...

Gosuncn Audio-Visual Integrated Management Platform 访问控制错误漏洞

Gosuncn Audio-Visual Integrated Management Platform is an intelligent audio-video convergence management platform from China's Gosuncn, which supports multi-protocol device access and AI analysis. An access control error vulnerability exists in Gosuncn Audio-Visual Integrated Management Platform...

CVE-2024-52297

Tolgee (open-source localization platform) vulnerability CVE-2024-52297: in version 3.81.1, all configuration properties were exposed publicly via PublicConfigurationDTO to users. Root cause: Public exposure of configuration data. Impact: high potential disclosure risk stated in sources; fixed in...

RestClient Support for OAuth2 in Spring Security 6.4

In Spring Security 6.2 and 6.3, we have worked to steadily improve configuration for applications using OAuth2 Client. Configuration for common use cases has been simplified by allowing applications to publish beans which are automatically included in the overall OAuth2 Client configuration durin...

CVE-2024-5824

A path traversal vulnerability in the /setpersonalityconfig endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml file. This can lead to remote code execution by changing server configuration properties such as forceacceptremoteaccess and...

CVE-2024-5824 Path Traversal in parisneo/lollms

A path traversal vulnerability in the /setpersonalityconfig endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml file. This can lead to remote code execution by changing server configuration properties such as forceacceptremoteaccess and...

RHEL 6 : quarkus-core (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - quarkus-core: Leak of local configuration properties into Quarkus applications CVE-2024-2700 Note that Nessus has n...

CVE-2024-31867 Apache Zeppelin: LDAP search filter query Injection Vulnerability

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes...

CVE-2024-2700

A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been...

CVE-2024-2700 Quarkus-core: leak of local configuration properties into quarkus applications

A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been...

Quarkus 安全漏洞

Quarkus is a cloud-native Linux container-first framework for writing Java applications. A security vulnerability exists in Quarkus that stems from the leakage of local configuration properties into Quarkus applications...

Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass

Summary Grav CMS is vulnerable to a Server-Side Template Injection SSTI, which allows any authenticated user editor permissions are sufficient to execute arbitrary code on the remote server bypassing the existing security sandbox. Details The Grav CMS implements a custom sandbox to protect the...

GHSA-RV74-M283-5J95 Elasticsearch-hadoop Unsafe Deserialization

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue...

Elasticsearch-hadoop Unsafe Deserialization

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue...

CVE-2023-46674

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue...

Deserialization of untrusted data

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue...

CVE-2023-46674

CVE-2023-46674 applies to Elastic Elasticsearch-Hadoop, where unsafe deserialization of Java objects from Hadoop or Spark configuration properties that could be modified by an authenticated user enables arbitrary code execution on the target system. The issue is triggered when a local authenticat...