9 matches found
Malicious code in buddyme (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f4ae4b8c00d27e82d54a5d2d960b1dc4f40ba15bc938355bad8421c338d6ef6 buddyme advertises a CLI agent. When installed and run, the default REPL routes every prompt the user types to third-party LLM providers Zhipu GLM at...
SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers
Summary Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 no /Users/zwique/Downloads/SandboxJS found. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...
CVE-2026-23835 LobeHub Vulnerable to Improper Authorization in Presigned Upload
LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in Knowledge Base File Upload does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitra...
CVE-2025-67732
Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...
WordPress - WP Social Ninja exposed API Key
WordPress - WP Social Ninja exposed API Key Joshua Martinelle Thu, 09/04/2025 - 08:43 WP Social Media is a WordPress plugin that allows to integrate social media feeds such as Instagram Feed, Facebook Feed, social reviews such as Google Reviews, WooCommerce Reviews Pro, and chat widgets such as...
PT-2024-28551 · WordPress · Convertkit
Name of the Vulnerable Software and Affected Versions: The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress versions up to, and including, 2.4.9 Description: The issue is related to a missing capability check on the tag subscriber function, allowi...
PT-2024-12302 · Rancher · Rancher
Name of the Vulnerable Software and Affected Versions: Rancher versions 2.6.0 through 2.6.13 Rancher versions 2.7.0 through 2.7.9 Rancher versions 2.8.0 through 2.8.1 Description: A vulnerability has been identified when granting a create or global role for a resource type of "namespaces". This c...
PT-2022-7335 · Xenstore +1 · Xenstore +1
Name of the Vulnerable Software and Affected Versions: Xenstore affected versions not specified Description: The issue is related to a bug in the fix of XSA-115, where a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path. This can result in a crash of...
PT-2019-4490 · Linux +4 · Linux Kernel +4
Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.3.9 Description: The issue is related to the cpu.cfs quota us function in the Linux kernel, which can lead to a denial of service against non-cpu-bound applications. This can be triggered by generating a...