CVE-2025-50110

An issue was discovered in the method push.lite.avtech.com.AvtechLib.GetHttpsResponse in AVTECH EagleEyes Lite 2.0.0, the GetHttpsResponse method transmits sensitive information - including internal server URLs, account IDs, passwords, and device tokens - as plaintext query parameters over HTTPS...

PT-2025-37565

Name of the Vulnerable Software and Affected Versions: AVTECH EagleEyes Lite version 2.0.0 Description: The GetHttpsResponse method transmits sensitive information – including internal server URLs, account IDs, passwords, and device tokens – as plaintext query parameters over HTTPS. The affected...

Linux Distros Unpatched Vulnerability : CVE-2024-38863

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions 2.3.0p18, 2.2.0p35 and 2.1.0p48 could lead to a leak of the...

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox < 110.

...

CVE-2025-9737

A vulnerability was detected in O2OA up to 10.0-410. Affected is an unknown function of the file /xqueryassembledesigner/jaxrs/importmodel of the component Personal Profile Page. Performing manipulation of the argument description/applicationName/queryName results in cross site scripting. Remote...

CVE-2025-50985

diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting XSS flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q query, and doctype are directly echoed into the HTML response, allowing attackers to inject and...

CVE-2025-50976

IPFire 2.29 DNS management interface dns.cgi fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLSHOSTNAME query parameters, resulting in a reflected cross-site scripting XSS vulnerability...

Linux Distros Unpatched Vulnerability : CVE-2025-46727

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query strings and...

Authentication Bypass

github.com/oauth2-proxy/oauth2-proxy is vulnerable to Authentication Bypass. The vulnerability is due to the skipauthroutes configuration option matching against the full request URI, including query parameters, when using overly permissive regex patterns, which allows an attacker to craft URLs...

The ADOdb sqlite3 driver allows SQL injection

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns, metaForeignKeys or metaIndexes methods with a crafted table name. Note that the indicated Severity corresponds to a...

BIT-OAUTH2-PROXY-2025-54576 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skipauthroutes configuration option...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to using the skipauthroutes configuration option with regex patterns. An attacker can gain unauthorized access to protected resources by crafting URLs with query parameters that match overly broad or improperly...

GHSA-7RH7-C77V-6434 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

Impact This vulnerability affects oauth2-proxy deployments using the skipauthroutes configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining...

CVE-2025-54576 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skipauthroutes configuration option...

CVE-2025-54576 OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skipauthroutes configuration option...

The vulnerability of the PHP Snappy library relates to incorrect restrictions on the path to the restricted directory. This allows attackers to gain unauthorized access to local files and directories.

The vulnerability of the PHP Snappy library is related to an incorrect limitation on the path name for the restricted access directory. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to local files and directories on the server when...

GHSA-7PGW-Q3QP-6PGQ DynamicPageList3 vulnerability exposes hidden/suppressed usernames

Summary Several dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. Details The parameters adduser, addauthor, and addlasteditor output the page creator or last editor using the %USER% placeholder. These display the actual...

CVE-2025-4955 tarteaucitron.io < 1.9.5 - Contributor+ Stored XSS

The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks...

CVE-2025-4955 tarteaucitron.io < 1.9.5 - Contributor+ Stored XSS

The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks...

TencentOS Server 3: weldr-client (TSSA-2023:0092)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0092 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...