CVE-2025-10926

CVE-2025-10926 affects the Drupal JSON Field module (before 1.5). The vulnerability arises from improper input neutralization during page generation, enabling Cross-Site Scripting (XSS). Affected: JSON Field module prior to 1.5. Impact: XSS risk on pages rendering JSON Field content. Remediation:...

PT-2025-44354

Name of the Vulnerable Software and Affected Versions Drupal JSON Field versions prior to 1.5 Description A flaw exists in Drupal JSON Field that allows for Cross-Site Scripting XSS. This issue is due to improper neutralization of input during web page generation. Successful exploitation could...

EUVD-2018-8100

Malware in sbrugna...

EUVD-2018-8101

Malware in sbrugna...

EUVD-2023-30347

Malicious code in bioql PyPI...

EUVD-2024-2596

Malicious code in bioql PyPI...

CVE-2023-26550

A SQL injection vulnerability in BMC Control-M before 9.0.20.214 allows attackers to execute arbitrary SQL commands via the memname JSON field...

CVE-2020-35748

Cross-site scripting XSS vulnerability in models/list-table.php in the FV Flowplayer Video Player plugin before 7.4.37.727 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the fvwpfvvideoplayersrc JSON field in the data parameter...

python-django: Potential SQL injection in QuerySet.values() and values_list()

A flaw was found in Django. The QuerySet.values and QuerySet.valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

The vulnerability of the django.db.models.fields.json class in the Django web application framework allows an attacker to execute arbitrary SQL code.

The vulnerability of the django.db.models.fields.json HasKey software platform for Django web applications is related to the lack of measures taken to protect the SQL query structure. Exploiting this vulnerability allows an attacker, operating remotely, to execute arbitrary SQL code by sending a...

PYSEC-2024-157

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. Applications that use the...

SUSE CVE-2024-53908

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. Applications that use the...

python-django: Potential SQL injection in QuerySet.values() and values_list()

A flaw was found in Django. The QuerySet.values and QuerySet.valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

The vulnerability of the GetConfPath() function in the Nginx UI server’s user interface allows a hacker to write arbitrary files.

The vulnerability of the GetConfPath function in the Nginx UI server’s user interface is related to the improper handling of JSON fields, resulting in incorrect values being retrieved without proper validation. This issue arises due to a faulty restriction on the path to the restricted directory...

CVE-2024-49366

Nginx UI (versions up to 2.0.0-beta.35) is affected by a directory-traversal vulnerability where the UI reads a value from a JSON field without verification, enabling payloads like ../../ to write arbitrary files on the server and potentially cause permission loss. A fix is available: upgrade to ...

python-django: Potential SQL injection in QuerySet.values() and values_list()

A flaw was found in Django. The QuerySet.values and QuerySet.valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

BIT-GRAFANA-2024-6322

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query...

GHSA-HH8P-374F-QGR5 Grafana plugin data sources vulnerable to access control bypass

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query...

CVE-2024-6322

Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query...

OESA-2024-2002 python-django security update

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate method allows remote attackers to enumera...