116 matches found
PT-2026-41770
Summary The Pages backend module registers the html purify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages Home::index → app/Views/templates/default/pages.php emits $pageInfo-content without esc, yielding...
PT-2026-38617
Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.81 Description An authenticated unrestricted file upload issue exists in the product image upload functionality. An attacker with valid credentials can bypass MIME type validation by prepending GIF89a magi...
GHSA-4GP8-RJRQ-CH6Q link-preview-js vulnerable to IPv6 and internal loopback attacks
Impact The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. Patches Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. T...
CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...
MyBB Like Plugin 跨站脚本漏洞
MyBB Like Plugin is an extension for forums developed by MyBB Corporation. Version 3.0.0 of MyBB Like Plugin contains a cross-site scripting vulnerability. This vulnerability arises from the lack of validation of topic content when posts or topics are created, which may allow attackers to inject...
CVE-2026-34735
The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload endpoint validates uploaded files by checking their MIME type via PHP's finfo, which inspects file contents but constructs the stored filename using the...
CVE-2026-30932
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...
Malicious Package
Overview svg-content-validation is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious code in svg-content-validation (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9ab01c7680d2b5bb6bfb2ff3c6f36e38f3a5f604096e8e9c8c7cba22622cae1 The package svg-content-validation was found to contain malicious code. Source: ghsa-malware...
MAL-2026-1980 Malicious code in svg-content-validation (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9ab01c7680d2b5bb6bfb2ff3c6f36e38f3a5f604096e8e9c8c7cba22622cae1 The package svg-content-validation was found to contain malicious code. Source: ghsa-malware...
PT-2026-23787
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise has a flaw where the /api/v1/attachments/:chatflowId/:chatId endpoint allows unauthenticated access to the file upload API because it is included in the WHITELIST URLS. The server trusts the...
Flare 跨站脚本漏洞
Flare is a file-sharing platform developed by Zachary Lowery. Versions of Flare 1.7.0 and earlier had a cross-site scripting vulnerability. This vulnerability stemmed from improper content validation or cleaning during file uploads, which could lead to storage-based cross-site scripting attacks...
Arbitrary File Upload
Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the store endpoint. An attacker can execute arbitrary scripts in the context of users by uploading specially crafted files that are rendered without proper content validation. Remediation There is no fixed...
PT-2026-5988
Name of the Vulnerable Software and Affected Versions podinfo versions through 6.9.0 Description An issue exists in podinfo that allows unauthenticated attackers to upload arbitrary files through a crafted POST request to the /store endpoint. The application renders uploaded content without a...
CVE-2025-66908
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormDatacontentType =...
CVE-2025-66908
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormDatacontentType =...
Remote Code Execution (RCE)
redaxo/source is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient validation of template content allowing PHP code injection, which allows an attacker to execute arbitrary operating system commands when the template is rendered...
Laravel File Manager 安全漏洞
Laravel File Manager is a Laravel file manager by Aleksandr Manekin Personal Developer. A security vulnerability exists in Laravel File Manager version 3.3.1, which stems from allowing users to upload create and rename HTML and SVG type files without adequate content type validation or output...
WSO2多款产品 安全漏洞
WSO2 API Manager and other products are products of WSO2 Corporation, USA.WSO2 API Manager is a set of API lifecycle management solution.WSO2 Identity Server IS is an identity server.WSO2 Enterprise Integrator is a set of open source hybrid integration platform. A security vulnerability exists in...
EUVD-2019-9257
Malware in sbrugna...