EUVD-2014-3114

Malware in sbrugna...

EUVD-2015-2055

Malware in sbrugna...

EUVD-2015-2042

Malware in sbrugna...

EUVD-2015-0175

Malware in sbrugna...

EUVD-2015-0174

Malware in sbrugna...

Security Bulletin: Axios before 1.8.2 allows SSRF and credential leakage when using absolute URLs despite baseURL setting

Summary axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This...

Security Bulletin: Axios exposes confidential XSRF-TOKEN in all requests via X-XSRF-TOKEN header

Summary An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTIO...

Security Bulletin: Axios before 1.7.8 uses setAttribute('href') in isURLSameOrigin.js, raising potential security concern

Summary In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute'href',href call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a...

Security Bulletin: A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30).

Summary A vulnerability has been identified in OPUPI0 AMQP/MQTT All versions V5.30. Vulnerability Details CVEID:CVE-2024-31486 DESCRIPTION: A vulnerability has been identified in OPUPI0 AMQP/MQTT All versions V5.30. The affected devices stores MQTT client passwords without sufficient protection o...

Security Bulletin: Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Summary Passing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. Vulnerability Details CVEID:CVE-2024-4340 DESCRIPTION: Passing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. CWE:CWE-674: Uncontrolled Recursio...

Security Bulletin: Insufficiently Random Values in form-data (lib/form_data.js) Leads to HTTP Parameter Pollution (HPP) – Affects versions <2.5.4, 3.0.0–3.0.3, and 4.0.0–4.0.3

Summary Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with program files lib/formdata.Js. This issue affects form-data: 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION...

Security Bulletin: Waitress WSGI Server Vulnerability: HTTP Pipelining Request Handling with Disabled Lookahead

Summary Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recvbytes defaults to 8192 long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled default we won't read any more requests, and...

Security Bulletin: Werkzeug Multipart Parser Denial of Service via Malformed File Upload

Summary Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on...

Security Bulletin: Werkzeug < 3.0.6 - Multipart Form Data Parsing Resource Exhaustion Vulnerability

Summary Werkzeug is a Web Server Gateway Interface web application library. Applications using werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse multipart/form-data requests e.g. all flask applications are vulnerable to a relatively simple but...

Security Bulletin: Mongoose Improper Handling of Nested $where in populate() Match Allows Search Injection

Summary Mongoose improper handling of nested $where in populate match allows search injection due to incomplete fix for CVE-2024-53900. Vulnerability Details CVEID:CVE-2025-23061 DESCRIPTION: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate match, leading to search...

Security Bulletin: Erlang/OTP SSH Protocol Flaw Allows Remote Code Execution

Summary Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution RCE. By exploiting a flaw in SSH protocol message handling, a malicious...

Security Bulletin: Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

Summary Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Vulnerability Details CVEID:CVE-2024-53900 DESCRIPTION: Mongoose before 8.8.3 can improperly use $where in match. CWE:CWE-89: Improper Neutralization of Special Elements used in an SQL Command 'SQL...

Security Bulletin: Promise based HTTP client for the browser and node.js

Summary Axios is vulnerable to Regular Expression Denial of Service ReDoS. When a manipulated string is provided as input to the format method, the regular expression exhibits a time complexity of On^2. Server becomes unable to provide normal service due to the excessive cost and time wasted in...

Security Bulletin: User can inject the suspected code via URL passed

Summary A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to cod...

Security Bulletin: PyMySQL allows SQL injection [CVE-2024-36039]

Summary PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escapedict. Vulnerability Details CVEID:CVE-2024-36039 DESCRIPTION: PyMySQL is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which cou...