9 matches found
CVE-2025-54550
The example examplexcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly...
CVE-2023-27573
netbox-docker before 2.5.0 has a superuser account with default credentials admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSERAPITOKEN. In practice on the public Internet, almost all users changed the password but only about 90% changed the toke...
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
For this to work, the attacker must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-production...
CVE-2025-14651 MartialBE one-hub docker-compose.yml hard-coded key
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSIONSECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attac...
CVE-2025-14651 MartialBE one-hub docker-compose.yml hard-coded key
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSIONSECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attac...
PT-2025-51155
A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSION SECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an atta...
SUSE CVE-2025-59840
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...
PT-2022-9905
Name of the Vulnerable Software and Affected Versions Python versions 3.x through 3.10 Description The issue is related to an open redirection vulnerability in lib/http/server.py due to no protection against multiple / at the beginning of URI path, which may lead to information disclosure. It is...
PYSEC-2017-44
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you...