CVE-2025-66398 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restor...

CVE-2025-47411

A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over...

CVE-2025-47411

A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over...

EUVD-2026-0016

A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over...

CVE-2025-47411

CVE-2025-47411 affects Apache StreamPipes up to version 0.97.0. A non-administrator user can exploit a flaw in the user ID creation mechanism to swap a real user’s username with an administrator’s, enabling privilege escalation by manipulating JWT tokens. Reported impact includes administrative c...

Exploit for CVE-2025-67158

CVE-2025-67158 — Revotech I6032W-FHW Summary The Revotech...

PT-2026-25090

Name of the Vulnerable Software and Affected Versions PyJWT versions prior to 2.12.0 Description PyJWT is a Python implementation for handling JSON Web Tokens JWT. Before version 2.12.0, the library did not properly validate the 'crit' Critical Header Parameter as defined in RFC 7515 §4.1.11...

PT-2026-25779

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.9 Description Authlib is a Python library used for building OAuth and OpenID Connect servers. A JWK Header Injection flaw exists in the library's JWS implementation, allowing an unauthenticated attacker to forge...

PT-2026-20985

Name of the Vulnerable Software and Affected Versions Zumba Json Serializer versions 3.2.2 and below Description The Zumba Json Serializer library allows deserialization of PHP objects from JSON using a special @type field. Prior to version 3.2.3, the deserializer instantiates any class specified...

EUVD-2025-205842

YOURLS is vulnerable to XSS through JSONP and Callback request parameters...

GHSA-6MP4-Q625-MXJP YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLSPRIVATE is set to false public API mode, this vulnerability can be exploited by any unauthenticated attacker. In...

Malicious code in @peter_wilson12091/internal-json-test-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 18430304f650bf998b2421e45c0b8b01fce58239d3dd6fbe9de753128aac9a4d The package @peterwilson12091/internal-json-test-parser was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-205797

Malicious code in @peterwilson12091/internal-json-test-parser npm...

[SECURITY] Fedora 43 Update: golang-github-jwt-5-5.2.1-6.fc43

A Go implementation of JSON Web Tokens...

CVE-2025-15144

A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function drshowerror/drexitmsg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated...

Exploit for CVE-2025-14847

CYBERDUDEBIVASH MONGODB DETECTOR TOOL v2026.1 Detect expose...

CVE-2025-15108

A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be...

CVE-2025-15108 PandaXGO PandaX JWT Secret config.yml hard-coded key

A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be...

EUVD-2025-205477

A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be...

CVE-2025-15108 PandaXGO PandaX JWT Secret config.yml hard-coded key

A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be...