October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

GHSA-G6V3-WV4J-X9HG October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

CVE-2026-25125

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

CVE-2026-25125

CVE-2026-25125 affects October CMS versions prior to 3.7.14 and 4.1.10. The issue is a server-side information disclosure in the INI settings parser: if cms.safe_mode is enabled, an Editor user can inject patterns like ${APP_KEY} or ${DB_PASSWORD} via parse_ini_string() through page settings, cau...

CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

CVE-2020-7617

ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a 'proto' payload...

EUVD-2020-0473

Malware in sbrugna...

MAL-2025-16710 Malicious code in cello-ini-parser (npm)

The package cello-ini-parser was found to contain malicious code...

Malicious code in cello-ini-parser (npm)

The package cello-ini-parser was found to contain malicious code...

OESA-2025-1277 iniparser security update

This modules offers parsing of ini files from the C level. See a complete documentation in HTML format, from this directory open the file html/index.html with any HTML-capable browser. Security Fixes: Heap-based Buffer Overflow vulnerability in iniparserdumpsectionini in iniparser allows attacker...

USN-7286-1 iniparser vulnerability

It was discovered that iniParser incorrectly handled certain files. An attacker could possibly use this issue to cause iniParser to crash, resulting in a denial of service...

USN-6486-1 iniparser vulnerability

It was discovered that iniParser incorrectly handled certain files. An attacker could possibly use this issue to cause a crash...

PT-2022-8903 · Js-Ini · Js-Ini

Name of the Vulnerable Software and Affected Versions: js-ini versions prior to 1.3.0 Description: The issue arises when an attacker submits a malicious INI file to an application that uses the parse function to parse it. This can lead to prototype pollution on the application, which can be furth...

Prototype Pollution

Overview multi-ini is an ini-file parser which supports multi line, multiple levels and arrays to get a maximum of compatibility with Zend config files. Affected versions of this package are vulnerable to Prototype Pollution. It is possible to pollute an object's prototype by specifying the proto...

Prototype Pollution

ini-parser is vulnerable to prototype pollution. An attacker is able to add and modify properties of Object.prototype using a proto payload...

@dawnjs/cli (>=1.11.0 <=1.13.7), @dawnjs/dn-middleware-lint (=3.0.12) +49 more potentially affected by CVE-2020-7617 via ini-parser (=0.0.2)

ini-parser NPM version =0.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on ini-parser and may be impacted: - @dawnjs/cli =1.11.0, =1.0.0, =0.0.1, =1.0.0-beta, =0.0.2, =0.0.1, =0.5.12, =1.0.1, =0.0.1, =3.0.0, =1.0.11, =1.1.4 and more Source cves:...

Prototype Pollution in ini-parser

All versions of ini-parser are vulnerable to prototype pollution. The parse function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Conside...

GHSA-96R7-MRQF-JHCC Prototype Pollution in ini-parser

All versions of ini-parser are vulnerable to prototype pollution. The parse function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available. Conside...

Prototype Pollution

Overview All versions of ini-parser are vulnerable to prototype pollution. The parse function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available...

Prototype Pollution

ini-parser is vulnerable to prototype pollution. An attacker is able to add and modify arbitrary properties via Object.prototype using a proto payload...