219 matches found
EUVD-2025-29749
Malicious code in bioql PyPI...
EUVD-2022-51439
Malicious code in bioql PyPI...
EUVD-2022-50654
Malicious code in bioql PyPI...
PT-2025-40603
Name of the Vulnerable Software and Affected Versions Anyquery versions 0.4.3 and below Description Anyquery is an SQL query engine built on top of SQLite. Attackers who have gained access to localhost, even with low privileges, can use the http server through the port unauthenticated and access...
CVE-2025-58432
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v21/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT...
CVE-2025-58432 ZimaOS Privilege Escalation using localhost calls to File API Upload
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v21/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT...
CVE-2025-58432
ZimaOS (a CasaOS fork for Zima devices and x86-64 with UEFI) contains a local privilege-escalation flaw in the /v2_1/files/file/uploadV2 API. In versions before and including 1.4.1, any user with localhost access can upload files via this endpoint and have them executed with root privileges, enab...
CVE-2025-58432 ZimaOS Privilege Escalation using localhost calls to File API Upload
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v21/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT...
CVE-2025-58432 ZimaOS Privilege Escalation using localhost calls to File API Upload
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v21/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT...
CVE-2025-58431 ZimaOS reads arbitrary files using localhost calls to File API Download
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v21/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT...
CVE-2025-58431 ZimaOS reads arbitrary files using localhost calls to File API Download
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v21/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT...
PT-2025-38236
Name of the Vulnerable Software and Affected Versions: ZimaOS versions prior to 1.4.2 Description: ZimaOS, a fork of CasaOS, is susceptible to a file read issue. The /v2 1/files/file/download API endpoint allows unauthorized file access from any user with localhost access. File reads are executed...
ZimaOS 安全漏洞
ZimaOS is an open source operating system project from IceWhaleTech designed to provide a lightweight, high-performance, secure operating system environment. A security vulnerability exists in ZimaOS 1.4.1 and earlier versions that originates in the /v21/files/file/uploadV2 endpoint that allows a...
PT-2025-38241
Name of the Vulnerable Software and Affected Versions: ZimaOS versions prior to 1.4.1 Description: ZimaOS, a fork of CasaOS, is susceptible to a file upload issue. The /v2 1/files/file/uploadV2 API endpoint permits file uploads from any user with localhost access, and these uploads are executed...
CVE-2025-57814 request-filtering-agent SSRF Bypass via HTTPS Requests
request-filtering-agent is an https.Agent implementation that blocks requests to Private/Reserved IP addresses. Versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. This allows attackers to...
CVE-2025-57814 request-filtering-agent SSRF Bypass via HTTPS Requests
request-filtering-agent is an https.Agent implementation that blocks requests to Private/Reserved IP addresses. Versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. This allows attackers to...
CVE-2025-57814
CVE-2025-57814 affects the http(s).Agent implementation in request-filtering-agent. Vulnerability: HTTPS requests to 127.0.0.1 bypass IP filtering, allowing potential access to internal HTTPS services and bypass of SSRF protection when user-supplied URLs are used. HTTP requests are blocked as int...
GHSA-PW25-C82R-75MM request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. Impact: Vulnerable patterns requests that should be blocked but are allowed: - https://127.0.0.1:443/api -...
CVE-2025-8964
CVE-2025-8964 affects code-projects’ Hostel Management System 1.0, specifically the Login component via the hostel_manage.exe file. The vulnerability is described as improper authentication, enabling a local-host attack. The PT-2025-33299 entry confirms the issue and states the exploit has been p...
Server-Side Request Forgery (SSRF)
webfinger.js is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient restriction on localhost access because the lookup function fails to block requests to local or internal network services, allowing attackers to craft requests targeting internal resources...