17436 matches found
Malicious Package
Overview privy-frames-drop is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview testforyt7hb is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
PYSEC-2025-232
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLEHOOKS avoids this vulnerability...
PYSEC-2025-232
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLEHOOKS avoids this vulnerability...
CVE-2025-67492
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLEHOOKS avoids this vulnerability...
CVE-2025-66407
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is...
CVE-2025-67492 Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLEHOOKS avoids this vulnerability...
CVE-2025-67492
CVE-2025-67492 affects Weblate prior to version 5.15, where a crafted webhook payload could trigger mass repository updates and component enumeration through an overly permissive webhook endpoint. The root cause is the webhook handling allowing unauthorized triggering across multiple repositories...
CVE-2025-67492 Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLEHOOKS avoids this vulnerability...
Weblate 跨站请求伪造漏洞
Weblate is a Copyleft open source web-based free software continuous localization system. A cross-site request forgery vulnerability exists in Weblate versions prior to 5.15, which stems from an unvalidated or uncleaned repository URL field in the Create Component function, and could lead to...
CVE-2025-66407 Weblate has Server-Side Request Forgery vulnerability
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is...
CVE-2025-66407 Weblate has Server-Side Request Forgery vulnerability
Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is...
Improper Validation of Syntactic Correctness of Input
Overview Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the webhook endpoint. An attacker can enumerate components and trigger updates for multiple repositories by sending crafted webhook payloads. Workaround This vulnerability can be...
GHSA-PJ86-258H-QRVF Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
Impact It was possible to trigger repository updates for many repositories via a crafted webhook payload. Patches https://github.com/WeblateOrg/weblate/pull/17221 Workarounds Disabling webhooks completely using ENABLEHOOKS avoids this vulnerability. References Thanks to Hector Ruiz Ruiz & NaxusAI...
Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
Impact It was possible to trigger repository updates for many repositories via a crafted webhook payload. Patches https://github.com/WeblateOrg/weblate/pull/17221 Workarounds Disabling webhooks completely using ENABLEHOOKS avoids this vulnerability. References Thanks to Hector Ruiz Ruiz & NaxusAI...
GO-2025-4237 Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip in github.com/weaviate/weaviate
Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip in github.com/weaviate/weaviate...
GO-2025-4207 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers in github.com/1Panel-dev/1Panel
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers in github.com/1Panel-dev/1Panel...
CVE-2025-67739
In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure...
CVE-2025-67727
Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permission...
Malicious Package
Overview pp-js-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...