GHSA-VV66-6RP4-WR4F OpenBao's Namespace Deletion May Not Delete Data Properly

Impact When OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving unrelated storage entries around. Patches This will be patched in OpenBao...

CVE-2026-27888 pypdf: Manipulated FlateDecode XFA streams can exhaust RAM

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode...

PT-2026-6448

Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage asse...

CVE-2026-24128

CVE-2026-24128 affects XWiki Platform and related distributions. Concrete details across sources: vulnerable versions of XWiki Platform (7.0-milestone-2 up to 16.10.11; 17.0.0-rc-1 up to 17.4.4; 17.5.0-rc-1 up to 17.7.0) are susceptible to a reflected XSS via crafted URLs, enabling actions with t...

EUVD-2025-180542

@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields...

EUVD-2021-1492

Malware in sbrugna...

EUVD-2024-1710

Malicious code in bioql PyPI...

EUVD-2022-7041

Malicious code in bioql PyPI...

EUVD-2024-2843

Malicious code in bioql PyPI...

PT-2025-21: Local Privilege Escalation in Microsoft OneDrive

The vulnerability was identified in OneDrive, version 25.020.0202. The vulnerability in Microsoft OneDrive was discovered on MacOS. Local privilege escalation allows an attacker to escalate privileges from a normal user to root. To exploit the vulnerability a potential attacker must be able to...

XWiki allows Reflected XSS in two templates

Impact Reflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. PoC URLs are /xwiki/bin/view/Main/?xpage=jobstatusjson&jobId=asdf&translationPrefix= and...

CVE-2025-48883

Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS cross-site scripting vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding...

CVE-2022-24725

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells, Dash and Zs...

CVE-2021-32731

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Between and including versions 13.1RC1 and 13.1, the reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. As a...

CVE-2025-47782 motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution

motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed camera device path with the add/addcamera motionEye web API allows an attacker with motionEye admin user credentials to execute...

CVE-2025-47778 Sulu vulnerable to XXE in SVG File upload Inspector

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has...

CVE-2025-47778 Sulu vulnerable to XXE in SVG File upload Inspector

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has...

PT-2024-33272 · Unknown · Messagepack-Csharp

Name of the Vulnerable Software and Affected Versions: MessagePack-CSharp versions prior to 2.5.187 and 3.0.214 Description: The vulnerability occurs when the library is used to deserialize messagepack data from an untrusted source, leading to a risk of a denial of service attack by an attacker...

GHSA-PCFX-G2J2-F6F6 Docassemble HTML and javascript injection

Impact A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain tags allowing JavaScript to execute on the page. Patches The vulnerability has been patched in version 1.4.97 of the master...

GHSA-7WXF-R2QV-9XWR Docassemble open redirect

Impact It is possible to create a URL that acts as an open redirect. Patches The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched. Workarounds If upgrading is not possible, manually apply the changes of 4801ac7 and restart the...