29907 matches found
GHSA-9H3P-52VH-959W vulnerabilities
Vulnerabilities for packages: ingress-nginx-controller...
CVE-2026-58578
LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service ReDoS vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craf...
GHSA-X7XJ-JVWP-97RV vulnerabilities
Vulnerabilities for packages: rke2-runtime, rke2-runtime-fips...
Github Enterprise Authenticated Remote Code Execution
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the...
H3C SSL VPN <=2022-07-10 - Cross-Site Scripting
H3C SSL VPN 2022-07-10 and prior contains a cookie-based cross-site scripting vulnerability in wnm/login/login.json svpnlang. id: CVE-2022-35416 info: name: H3C SSL VPN =2022-07-10 - Cross-Site Scripting author: 0x240x23elu severity: medium description: | H3C SSL VPN 2022-07-10 and prior contains...
Mongo-Express - Remote Code Execution
Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. id: CVE-2020-24391 info: nam...
Hestiacp <= 1.7.7 - Cross-Site Scripting
Cross-site Scripting XSS - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. id: CVE-2023-3479 info: name: Hestiacp = 1.7.7 - Cross-Site Scripting author: edoardottt severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository hestiacp/hestiacp prior to...
Imgproxy < 3.14.0 - Cross-site Scripting (XSS)
Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0. id: CVE-2023-1496 info: name: Imgproxy 3.14.0 - Cross-site Scripting XSS author: pdteam severity: medium description: Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to...
osTicket < v1.16.6 - Cross-Site Scripting
Cross-site Scripting XSS - Generic in GitHub repository osticket/osticket prior to v1.16.6. id: CVE-2023-1318 info: name: osTicket v1.16.6 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Cross-site Scripting XSS - Generic in GitHub repository osticket/osticket prior to...
CopyParty v1.8.6 - Cross Site Scripting
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting XSS Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link...
Structurizr on-premises - Cross Site Scripting
Cross-site Scripting XSS - Reflected in GitHub repository structurizr/onpremises prior to 3194. id: CVE-2023-5556 info: name: Structurizr on-premises - Cross Site Scripting author: shankaracharya severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository...
Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuratio...
Mastodon Prototype Pollution Vulnerability
The GitHub repository mastodon/mastodon prior to 3.5.0 contains a Prototype Pollution vulnerability. id: CVE-2022-0432 info: name: Mastodon Prototype Pollution Vulnerability author: pikpikcu severity: medium description: The GitHub repository mastodon/mastodon prior to 3.5.0 contains a Prototype...
Froxlor < 0.10.38.2. - HTML Injection
HTML Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2. id: CVE-2022-3869 info: name: Froxlor TEST" matchers-condition: and matchers: - type: word part: body words: - 'The message to ""TEST" failed' - type: word part: header words: - "text/html" - type: status status: - 200 d...
CandidATS 3.0.0 - Cross-Site Scripting
CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...
Reposilite >= 3.3.0, < 3.5.12 - Arbitrary File Read
Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. Reposilite has addressed this issue in version...
Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting
Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site scripting via the GET "ajax" parameter to snarfajax.php. id: CVE-2011-4336 info: name: Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting author: pikpikcu severity: medium description: Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site...
OpenEMR < 7.0.1 - Cross-site Scripting
Cross-site Scripting XSS - Reflected in GitHub repository openemr/openemr prior to 7.0.1. id: CVE-2023-2949 info: name: OpenEMR 7.0.1 - Cross-site Scripting author: ritikchaddha,princechaddha severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository openemr/openemr...
mlflow - Path Traversal
Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. id: CVE-2023-6831 info: name: mlflow - Path Traversal author: byObin severity: high description: | Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. impact: | Authenticated attackers...
Kavita <0.5.4.1 - Server-Side Request Forgery
Kavita before 0.5.4.1 is susceptible to server-side request forgery in GitHub repository kareadita/kavita. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-2756 info: name:...