CVE-2025-53960

When issuing JSON Web Tokens JWT, Apache StreamPark directly uses the user's password as the HMAC signing key e.g., with the HS256 algorithm. An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge...

Apache StreamPark uses a Weak Encryption Algorithm

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...

GHSA-749J-2HP6-8CXM Apache StreamPark uses a Weak Encryption Algorithm

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...

Security Bulletin: Vulnerabilities in Eran Hammer cryptiles, PostCSS,Node.js,node-notifier,es5-ext ,MySQL Connectors,json-path and tough-cookie might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Eran Hammer cryptiles, PostCSS,Node.js,node-notifier,es5-ext ,MySQL Connectors,json-path and tough-cookier. Vulnerabilities include an attacker is able to brute force something that was supposed to be random, ...

CVE-2025-54981

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...

CVE-2025-54981 Apache StreamPark: Weak Encryption Algorithm in StreamPark

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...

CVE-2025-67731

Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performanc...

CVE-2025-67731 Servify Express does not enforce rate limiting when parsing JSON

Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performanc...

CVE-2025-67731 Servify Express does not enforce rate limiting when parsing JSON

Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performanc...

PT-2025-50903

Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performanc...

PT-2025-50940

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...

📄 dotCMS 24.04.24 Vulnerability Scanner

dotCMS version 24.04.24 advanced exploitation python scanning script that looks for local file inclusion, data exposure, SQL injection, and more. ============================================================================================================================================= | Title :...

CVE-2025-66452

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json includes user input in the error message, which gets reflected in responses. User input including HTML/JavaScript can be exposed in error...

CVE-2025-66452

LibreChat (versions ≤ 0.8.0) is affected by a lack of handling for JSON parsing errors in express.json(). A SyntaxError triggered by user input can be reflected in error responses, exposing input (including HTML/JavaScript) and creating an XSS risk if Content-Type isn’t strictly enforced. The iss...

CVE-2025-66450

CVE-2025-66450 affects LibreChat. Versions 0.8.0 and below allow an attacker to modify the iconURL parameter in a POST request, causing malicious code to be stored in a chat and potentially shared with others. This can lead to privacy loss for users who view the shared chat link. The issue is add...

CVE-2025-66450 LibreChat JSON Injection in Chat POST Allows Remote Resource Inclusion and PXSS via Image Upload

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats wit...

CVE-2025-66450 LibreChat JSON Injection in Chat POST Allows Remote Resource Inclusion and PXSS via Image Upload

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats wit...

CVE-2023-53740

Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. Attackers can exploit the userManager.cgx endpoint by sending a crafted JSON request with a new MD5-hashed password to directly modify...

GHSA-QGC4-8P88-4W7M Servify-express rate limit issue

Impact The Express server uses express.json without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service DoS. Any application using the JSON parser withou...

EUVD-2025-202705

A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/uploadjson.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the...