480 matches found
CVE-2025-30223
Beego (Go framework) contains an XSS vulnerability in RenderForm() up to version 2.3.5, caused by improper HTML escaping of user-controlled data. This allows injection of attacker-controlled JavaScript in rendered forms, potentially enabling session hijacking, credential theft, or account takeove...
CVE-2025-0183
A stored cross-site scripting XSS vulnerability exists in the Latex Proof-Reading Module of binary-husky/gptacademic version 3.9.0. This vulnerability allows an attacker to inject malicious scripts into the debuglog.html file generated by the module. When an admin visits this debug report, the...
CVE-2025-29779
Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing VSS scheme. In versions 0.8.0b2 and prior, the secureredundantexecution function in feldmanvss.py attempts to mitigate fault injection attacks by executing a function...
CVE-2025-29779
The CVE describes a fault-injection countermeasure weakness in the Python implementation of Post-Quantum Secure Feldman’s Verifiable Secret Sharing (VSS) in PostQuantum-Feldman-VSS, specifically the secure_redundant_execution function. Affected versions up to 0.8.0b2 are vulnerable because Python...
Announcing the winners of the Adaptive Prompt Injection Challenge (LLMail-Inject)
We are excited to announce the winners of LLMail-Inject, our first Adaptive Prompt Injection Challenge! The challenge ran from December 2024 until February 2025 and was featured as one of the four official competitions of the 3rd IEEE Conference on Secure and Trustworthy Machine Learning IEEE...
Prototype Pollution
Vue I18n is vulnerable to Prototype Pollution. The vulnerability is due to improper input handling in the handleFlatJson function, allowing an attacker to modify the global prototype chain, potentially leading to denial of service DoS or more severe injection-based attacks...
CVE-2025-27597 Vue I18n Prototype Pollution in `handleFlatJson`
Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the...
CVE-2025-25294 Envoy Gateway Log Injection Vulnerability
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks. If the...
USN-7318-1: SPIP vulnerabilities
It was discovered that svg-sanitizer, vendored in SPIP, did not properly sanitize SVG/XML content. An attacker could possibly use this issue to perform cross site scripting. This issue only affected Ubuntu 24.10. CVE-2022-23638 It was discovered that SPIP did not properly sanitize certain inputs....
Linux Distros Unpatched Vulnerability : CVE-2017-17513
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attacke...
Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : PostgreSQL vulnerability (USN-7315-1)
The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has packages installed that are affected by a vulnerability as referenced in the USN-7315-1 advisory. Stephen Fewer discovered that PostgreSQL incorrectly handled quoting syntax in certain scenarios. A remote attacker could possibly...
CVE-2025-23405
Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks ex log injection...
CVE-2025-23405
Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks ex log injection...
CVE-2025-23405 Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application Improper Output Neutralization For Logs
Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks ex log injection...
CVE-2025-23405
CVE-2025-23405 affects the Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application. The root issue is unauthenticated logging that can affect metrics collection and incident response, with an associated risk of log injection. The NVD/NIST record notes network-exposed co...
PT-2025-9116 · Dario Health · Dario Application Database/Internet-Based Server Infrastructure +1
Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue affects metrics gathering and incident response efforts, potentially exposing the risk of injection attacks, such as log injection. Recommendations: At the moment, there is no...
Dario Health USB-C Blood Glucose Monitoring System 安全漏洞
The Dario Health USB-C Blood Glucose Monitoring System is a portable blood glucose monitoring device from Dario Health, Israel. A security vulnerability exists in the Dario Health USB-C Blood Glucose Monitoring System that stems from unauthenticated logs affecting metrics collection and event...
xml2rfc has file inclusion irregularities
Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag. This prevented XML External Entity XXE injection attacks with xinclude and XML entity references. It was discovered that xml2rfc does not respect...
CVE-2022-43531
Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information...
CVE-2022-43520
Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities...