222230 matches found
CVE-2026-8643 pip can extract console_scripts and gui_scripts outside installation directory
pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory...
CVE-2026-8643
pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory...
EUVD-2026-33682
pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory...
CVE-2026-8643 pip can extract console_scripts and gui_scripts outside installation directory
pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory...
CVE-2026-8643
The CVE-2026-8643 vulnerability affects the Python package installer, pip. A flaw allows a malicious wheel containing crafted entry-point names that use directory traversal or absolute paths to cause wrappers to be written outside the installation directory, enabling arbitrary file overwrite and ...
CVE-2026-8643
pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory...
Cross-site Scripting (XSS)
Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript in the context...
Important: Red Hat Security Advisory: resource-agents security update
An update for resource-agents is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common...
CVE-2018-25409
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksipengurus.php endpoint with module=pengurus and act=update parameters, which...
CVE-2026-45261
GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows fo...
CVE-2026-6824
A stored cross-site scripting XSS vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators o...
CVE-2026-6824
A stored cross-site scripting XSS vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators o...
CVE-2018-25388
HaPe PKH 1.1 has an arbitrary file upload vulnerability that bypasses file type validation, allowing authenticated attackers to upload PHP files and execute arbitrary code on the server. Affected endpoints include aksi_foto.php, aksi_user.php, and aksi_kecamatan.php. CVSS metrics indicate high im...
CVE-2026-9559
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges...
EUVD-2026-33277
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges...
CVE-2026-10058 ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting
ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...
EUVD-2026-33250
The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...
PT-2026-44969
A stored cross-site scripting XSS vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators o...
CP Plus CP Series 跨站脚本漏洞
The CP Plus CP Series is a series of video surveillance and security device products developed by CP Plus Company. The CP Plus CP Series contains a cross-site scripting vulnerability. This vulnerability stems from insufficient input cleaning in certain functional modules, allowing attackers to...
CVE-2026-46363
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...