92 matches found
PT-2026-1559
Name of the Vulnerable Software and Affected Versions OpenFlagr versions prior to and including 1.1.18 Description The software contains an authentication bypass issue in the HTTP middleware. Improper path normalization within the whitelist logic allows crafted requests to bypass authentication,...
Improper Path Handling
formio is vulnerable to improper path handling. The vulnerability is due to improper validation of crafted request paths, which allows an unauthenticated or unauthorized attacker to bypass API access controls and retrieve data from protected endpoints...
CVE-2025-67718
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
Improper Handling of Case Sensitivity
Overview org.webjars.npm:formio is an A Form and Data Management Platform for Progressive Web Applications Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via improper handling of the path parameter. An attacker can gain unauthorized access to protected A...
Improper Handling of Case Sensitivity
Overview formio is an A Form and Data Management Platform for Progressive Web Applications Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via improper handling of the path parameter. An attacker can gain unauthorized access to protected API endpoints by...
CVE-2025-67718
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
CVE-2025-67718
Form.io exposes a path-handling vulnerability that can let unauthenticated/unauthorized requests access protected API endpoints by sending crafted request paths. Affected versions: 3.5.6 and earlier, and 4.0.0-rc.1 through 4.4.2. Impact is data exposure from endpoints that should be protected. Fi...
CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
PT-2025-50565
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
GHSA-M654-769V-QJV7 Formio improperly authorized permission elevation through specially crafted request path
Security Advisory: Unauthorized permission elevation through specially crafted request path Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain...
CVE-2013-10072 Nagios XI < 2012R1.6 Auto-Discovery Missing Authorization
Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discove...
CVE-2025-6892
CVE-2025-6892, -6893, and -6894 relate to Moxa network security devices. The connected Red Hat advisories describe a set of API/authorization flaws in Moxa appliances: (CVE-2025-6892) an Incorrect Authorization flaw in API authentication that allows unauthorized privileged operations after login;...
EUVD-2025-31126
Malicious code in bioql PyPI...
EUVD-2025-19645
Malicious code in bioql PyPI...
CVE-2025-59841
Flag Forge is a Capture The Flag CTF platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still...
CVE-2025-59841 FlagForgeCTF's Improper Session Handling Allows Access After Logout
Flag Forge is a Capture The Flag CTF platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still...
PT-2025-39418
Name of the Vulnerable Software and Affected Versions Flag Forge versions 2.2.0 through 2.3.0 Description Flag Forge improperly manages session invalidation. After a user logs out, they can still access protected endpoints, such as /api/profile, and CSRF tokens remain valid. This allows continued...
Linux Distros Unpatched Vulnerability : CVE-2022-42260
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NVIDIA vGPU Display Driver for Linux guest contains a vulnerability in a D-Bus configuration file, where an unauthorized user in the guest VM can impact protect...