Lucene search
K

245 matches found

EUVD
EUVD
added 2026/04/21 5:18 p.m.7 views

EUVD-2026-24025

nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding...

6.5CVSS5.7AI score0.00306EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/21 5:18 p.m.11 views

nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

Summary When HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. Patches Upgrade to...

6.5CVSS5.9AI score0.00306EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/21 12:17 a.m.4 views

CVE-2026-39378

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

6.5CVSS5.9AI score0.00306EPSS
Exploits0References3Affected Software1
SUSE CVE
SUSE CVE
added 2026/03/25 12:27 a.m.5 views

SUSE CVE-2026-26022

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrar...

8.7CVSS6AI score0.00306EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/20 8:45 p.m.10 views

PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled

Summary The getB64BasePdf function in @pdfme/common fetches arbitrary URLs via fetch without any validation when basePdf is a non-data-URI string and window is defined. An attacker who can control the basePdf field of a template e.g., through a web application that accepts user-supplied templates...

6AI score
Exploits0References2Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/19 1:34 p.m.7 views

Security Bulletin: IBM Datapower Operations Dashboard could allocate unbounded memory and crash (DoS) CVE-2025-58754

Summary Axios is used by the IBM Datapower Operations Dashboard for their HTTP Client for node.js and the browser Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions...

7.5CVSS7.4AI score0.0106EPSS
Exploits1Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.8 views

PT-2026-25864

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.6 Description Admidio, an open-source user management solution, contains a flaw in the SSO Metadata API. The modules/sso/fetch metadata.php endpoint accepts an arbitrary URL via the $ GET'url' parameter. This...

6.8CVSS5.9AI score0.00428EPSS
Exploits1References10
Snyk
Snyk
added 2026/03/05 9:13 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the improper sanitization of HTML anchor tags in the comment and issue description functionality. An attacker can execute arbitrary JavaScript in the context of another user by injecting malicious links...

8.7CVSS5.8AI score0.00306EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/05 6:34 p.m.3 views

CVE-2026-26022 Gogs: Stored XSS via data URI in issue comments

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrar...

8.7CVSS5.8AI score0.00306EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/05 6:34 p.m.6 views

CVE-2026-26022

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrar...

8.7CVSS6AI score0.00306EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/03/05 6:34 p.m.19 views

CVE-2026-26022

Gogs (self-hosted Git service) prior to v0.14.2 contains a stored XSS in comments and issue descriptions due to an HTML sanitizer allowing data: URI schemes. Exploitation requires authenticated user interaction and can lead to arbitrary JavaScript execution in the context of the affected page. Th...

8.7CVSS6AI score0.00306EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/05 6:34 p.m.35 views

CVE-2026-26022 Gogs: Stored XSS via data URI in issue comments

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting XSS vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrar...

8.7CVSS0.00306EPSS
Exploits1References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/02 8:30 a.m.12 views

Security Bulletin: Multiple vulnerabilites in IBM Rational Build Forge.

Summary IBM Rational Build Forge 8.0.0.29 addresses multiple vulnerabilites Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and i...

9.4CVSS6.9AI score0.05666EPSS
Exploits6Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/02/04 10:24 p.m.6 views

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in axios-1.11.0.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in axios-1.11.0.tgz Vulnerability Details CVEID:CVE-2025-58754 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on...

7.5CVSS6.6AI score0.0106EPSS
Exploits1Affected Software1
Rosalinux
Rosalinux
added 2026/01/26 12:11 p.m.7 views

Advisory ROSA-SA-2026-3117

software: ffmpeg 4.4.6 OS: ROSA-CHROME unaffected versions = ffmpeg-4.4.6-2 affected versions ffmpeg-4.4.6-2 CVE-ID: CVE-2023-6601 BDU-ID: None CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in FFmpeg's HLS demultiplexer allows bypassing dangerous file extension checks and launching arbitrary...

4.7CVSS5.9AI score0.00397EPSS
Exploits1
Tenable Nessus
Tenable Nessus
added 2026/01/22 12:0 a.m.4 views

Oracle GoldenGate (January 2026 CPU)

The detected versions of GoldenGate installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory. - axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative...

8.7CVSS6.7AI score0.0106EPSS
Exploits2References4
OSV
OSV
added 2026/01/15 8:12 p.m.5 views

GHSA-58Q2-9X27-H2JM solspace/craft-freeform Has a DoS Vulnerability

Summary Freeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion CVE-2025-58754. Freeform version: 4.1.29 Craft CMS version: 4.16.8 Impact When Axios runs on Node.js and is given a URL with the data...

6.9CVSS6.6AI score
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/01/15 8:12 p.m.9 views

solspace/craft-freeform Has a DoS Vulnerability

Summary Freeform plugin v4.1.29 uses vulnerable Axios ^1.7.7 allowing unauthenticated attackers to crash servers via malicious data: URIs causing memory exhaustion CVE-2025-58754. Freeform version: 4.1.29 Craft CMS version: 4.16.8 Impact When Axios runs on Node.js and is given a URL with the data...

7.5CVSS6.1AI score0.0106EPSS
Exploits1References8Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/01/15 6:50 p.m.6 views

Security Bulletin: A vulnerability in axios affects IBM Robotic Process Automation and may result in a denial of service (CVE-2025-58754)

Summary A vulnerability in axios affects IBM Robotic Process Automation and may result in a denial of service. form-data is used by IBM Robotic Process Automation as part of the UI framework. This bulletin identifies the fixes required to address this vulnerability. Vulnerability Details...

7.5CVSS8.4AI score0.0106EPSS
Exploits1Affected Software1
AstraLinux
AstraLinux
added 2026/01/13 2:1 p.m.4 views

Astra Linux – Vulnerability in libsoup3

A flaw was discovered in libsoup. The libsoup soupuridecodedatauri function may crash when processing malformed data URI. This flaw allows an attacker to cause a denial of service DoS attack...

5.9CVSS6.3AI score0.00519EPSS
Exploits0References3
Rows per page
Query Builder