90 matches found
Craft CMS 代码问题漏洞
Craft CMS is an open-source content management system developed by Craft CMS. There are code vulnerabilities in versions 4.5.0-RC1 to 4.16.18, and from 5.0.0-RC1 to 5.8.22 of Craft CMS. These vulnerabilities stem from a GraphQL Asset mutation where the SSRF validation only parses IPv4 addresses,...
CVE-2025-52628
HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0...
CVE-2025-52628
CVE-2025-52628 affects HCL AION 2.0. Connected sources describe a cookie handling issue due to missing or insecure SameSite attributes, enabling cross-site requests and increasing CSRF risk. The CNVD entry calls it a CSRF vulnerability stemming from the cookie SameSite issue; Red Hat and NVD desc...
PT-2026-5904
Name of the Vulnerable Software and Affected Versions HCL AION version 2.0 Description HCL AION is susceptible to a cookie handling issue where cookies may lack proper SameSite attributes, or have insecure or improper configurations. This can allow cookies to be transmitted in unintended cross-si...
CVE-2026-23965 sm-crypto Affected by Signature Forgery in SM2-DSA
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for...
CVE-2026-22782
RustFS is a distributed object storage system built in Rust. From = 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret and expected signature, which exposes the secret to log readers and enables forged RPC calls. In...
Jervis Has a JWT Algorithm Confusion Vulnerability
Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyL244-L249 The code doesn't validate that the JWT header specifies "alg":"RS256". Impact Depending on the broader system, this could allow JWT...
GHSA-5PQ9-5MPR-JJ85 Jervis Has a JWT Algorithm Confusion Vulnerability
Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyL244-L249 The code doesn't validate that the JWT header specifies "alg":"RS256". Impact Depending on the broader system, this could allow JWT...
CVE-2022-35924
NextAuth.js is a complete open source authentication solution for Next.js applications. next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.:...
PT-2026-1013
Name of the Vulnerable Software and Affected Versions cpp-httplib versions prior to 0.30.0 Description The write headers function in cpp-httplib does not properly validate user-supplied headers, specifically failing to check for carriage return CR and line feed LF characters. This allows attacker...
EUVD-2025-202637
Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.90027, Hub M2 4.3.60027, and Hub M3 4.3.60025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated...
PT-2025-48045
Name of the Vulnerable Software and Affected Versions cggmp21 versions 0.6.3 and earlier cggmp24 version 0.7.0-alpha.1 Description The software is susceptible to a security issue related to the use of presignatures in specific contexts. Specifically, using presignatures in conjunction with HD...
Progress Flowmon 跨站脚本漏洞
Progress Flowmon is a real-time network traffic monitoring tool from Progress. A cross-site scripting vulnerability exists in versions of Progress Flowmon prior to 12.5.5, which originates from a user clicking on a malicious link that could trigger an unexpected action, potentially leading to a...
EUVD-2021-2348
Malware in sbrugna...
EUVD-2023-26864
Malicious code in bioql PyPI...
EUVD-2025-11892
Malicious code in bioql PyPI...
CVE-2025-58688 WordPress Casengo Live Chat Support Plugin <= 2.1.4 - Cross Site Request Forgery (CSRF) Vulnerability
Cross-Site Request Forgery CSRF vulnerability in Casengo Casengo Live Chat Support the-casengo-chat-widget allows Stored XSS.This issue affects Casengo Live Chat Support: from n/a through = 2.1.4...
CVE-2025-31971 AIML Solutions for HCL SX is susceptible to a URL validation vulnerability
AIML Solutions for HCL SX is vulnerable to a URL validation vulnerability. The issue may allow attackers to launch a server-side request forgery SSRF attack enabling unauthorized network calls from the system, potentially exposing internal services or sensitive information...
F5 Networks BIG-IP : Apache HTTP Server vulnerability (K000152924) (deprecated)
The vendor no longer states that their product is vulnerable. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from F5 Networks BIG-IP Solution K000152924. Disabled on 2026/01/29. Advisory states BIG-IP no longer vulnerable...
org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority
A flaw was found in Jetty. The HttpURI class performs insufficient validation on the authority segment of a URI. The HttpURI and the browser may differ on the value of the host extracted from an invalid URI. This combination of Jetty and a vulnerable browser may be vulnerable to an open redirect...