Cross-site Scripting (XSS)

Overview org.webjars.npm:vega-selections is a Vega expression functions for Vega-Lite selections. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the vlSelectionTuples processing. An attacker can execute arbitrary JavaScript code in the application's context by...

CVE-2025-65110

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used...

CVE-2025-65110 Vega Cross-Site Scripting (XSS) via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used...

SecLeak

SecLeak Assessment This repository contains the s...

Improper Cryptographic Key Management

Apache StreamPark is vulnerable to Improper Cryptographic Key Management. The vulnerability is due to using the user’s password directly as the HMAC signing key for JWTs, which allows an attacker to brute-force passwords offline or forge valid tokens to impersonate users and take over accounts...

Vega 跨站脚本漏洞

Vega is a Javscript-based software from the Vega team that can be used to create interactive visual displays. The software can describe data visualizations using JSON format and generate interactive views using HTML5 Canvas or SVG. A cross-site scripting vulnerability exists in Vega versions prio...

Vega 跨站脚本漏洞

Vega is a Javscript-based software from the Vega team that can be used to create interactive visual displays. The software can describe data visualizations using JSON format and generate interactive views using HTML5 Canvas or SVG. A cross-site scripting vulnerability exists in Vega versions prio...

defacemeter

DefaceMeter DefaceMeter is a small, static, browser-based pro...

GHSA-6RW7-VPXM-498P vulnerabilities

Vulnerabilities for packages: kubeflow-pipelines, code-server, kubeflow-centraldashboard, argo-workflows, sqlpad, saf, tileserver-gl, langfuse, renovate, thingsboard, opensearch-dashboards, json-server...

CVE-2025-15284 vulnerabilities

Vulnerabilities for packages: kubeflow-pipelines, code-server, kubeflow-centraldashboard, argo-workflows, sqlpad, saf, tileserver-gl, langfuse, renovate, thingsboard, opensearch-dashboards, json-server...

CVE-2025-15284 vulnerabilities

Vulnerabilities for packages: kubeflow-pipelines, sqlpad, redisinsight, kubeflow-centraldashboard, langfuse-fips, kibana, opensearch-dashboards-fips, tileserver-gl, opensearch-dashboards, renovate, thingsboard, saf, langfuse, json-server, code-server, argo-workflows, arangodb, librechat,...

CVE-2025-68620

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...

EUVD-2025-206136

Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling...

GHSA-FQ56-HVG6-WVM5 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. Unauthenticated WebSocket Request Enumeration: When ...

GHSA-W3X5-7C4C-66P9 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Summary An unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files e.g., security.json,...

CVE-2025-68620

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...

Apache StreamPipes has Improper Privilege Management issue

A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over...

GHSA-5R2G-VPHF-M5XC Apache StreamPipes has Improper Privilege Management issue

A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over...

Incorrect Authorization

Overview streampipes is a Python library for Apache StreamPipes Affected versions of this package are vulnerable to Incorrect Authorization via the user ID creation mechanism. A user can gain administrative privileges by manipulating JWT tokens and swapping the username of an existing user with a...

CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...